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Preface 



Complementarity is one of the central mysteries of quantum mechanics. First put forth by Bohr [1, 
2,3], complementarity holds that the attributes of a physical system familiar from classical mechan- 
ics do not all simultaneously exist and are not entirely independent of how they are measured. Fa- 
mously, if the momentum of a particle is known then its position must be unknown, and vice versa, 
a fact encapsulated in Heisenberg's uncertainty relation AxAp > fi/2 [A]. Even more dramatic is 
the wave-particle duality encountered in Young's double-slit experiment, which illustrates the im- 
portant role of observation. Light passing through the double slit setup produces an interference 
pattern on a screen beyond the slits, as would be characteristic of a wave. But a closer examina- 
tion reveals that light arrives in particle-like "packets" at the screen, and the interference pattern 
only arises as a statistical average of these particle arrival events. This particle picture tempts us to 
observe which slit the light went through, which we find destroys the interference pattern! Feyn- 
man regarded this bizarre phenomena as characteristic of all the seemingly-paradoxical quantum 
behavior, claiming that the double-slit experiment is "impossible, absolutely impossible to describe 
classically, [and which] has in it the heart of quantum mechanics", and that "in reality, it contains 
the on/y mystery" (emphasis original) [5]. 

The overarching goal of this thesis is to demonstrate that complementarity is also at the heart 
of quantum information theory, that it allows us to make (some) sense of just what information 
"quantum information" refers to, and that it is useful in understanding and constructing quantum 
information processing protocols. The detailed research results which form the basis of these claims 
are to be found in the included papers, and the aim here is to present an overview comprehensible 
to a more general audience. ^ 

As we shall see in Chapter 1, quantum information can heuristically be thought of as a kind of 
combination of two types of normal "classical" information, specifically, classical information about 
the result of measuring one of two complementary observables. Due to the uncertainty principle, 
we can expect both pieces of information are not simultaneously realizable, and indeed the uncer- 
tainty principle will play a central quantitative role throughout this work. Particularly relevant will 
be the entropic uncertainty relation of [RB09] and its generalization in [BCC+10], which state that 
the more that can be known by one party about one observable, the less can be known by another 
party about a complementary observable. That complementary observables play an important role 
in quantum information theory is not new to this thesis, and Chapter 2 discusses several fundamen- 
tal quantum information processing tasks based on their use, such as teleportation and quantum 
error-correction. This chapter also provides some relevant formal background for the remainder of 
this work and establishes the notation used herein. 

Chapter 3 begins the overview of the new results obtained in the included papers. Here we 
show that information about complementary observables not only plays an important role, but in- 
deed a central one, and that possession of both complementary pieces of classical information is 
strictly equivalent to the existence of entanglement between the physical system the information 
pertains to and the system in which the information is stored. Moreover, the uncertainty principle 
provides a dual characterization, saying that entanglement between these two systems exists when 
the "environment", i.e. any and all other degrees of freedom, has no information about either com- 
plementary observable. Both characterizations can be modified to describe secret keys useful in 
cryptography instead of entangled states. Because Chapter 3 gathers and mixes results from several 



^The included papers are referenced in alphabetical style, while references to other works are numeric. 
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of the included papers, it is entirely self-contained, whereas subsequent chapters do not go into as 
much detail. 

In Chapter 4 we show that this complementary approach is also useful in constructing quan- 
tum information processing protocols and understanding why they work. Especially relevant is the 
process of entanglement distillation, that is, extracting maximal entanglement from a imperfectly- 
entangled bipartite resource system. The entanglement distillation process can be built up from 
two instances, one for each of two complementary observables, of a simpler distillation process for 
classical information called information reconciliation or data compression with side information. 
Here partial classical correlation between two systems is refined into maximal correlation, and rec- 
onciling classical information about two complementary observables. Protocols for entanglement 
distillation can then be adapted to a large variety of quantum information processing tasks, such as 
quantum communication over noisy channels or distillation of secret keys. 

Chapter 5 extends the duality in characterizing entanglement afforded by the uncertainty prin- 
ciple to two fundamental information processing tasks, the information reconciliation task of es- 
tablishing correlations with the first party on the one hand, and the task of removing all correlations 
with the second party on the other. The latter is known as privacy amplification, and it turns out that 
the ability to perform one protocol implies the ability to perform the other in certain circumstances. 
This duality also implies alternative methods of entanglement distillation, in particular one which 
proceeds by destroying all classical correlations with the environment that pertain to two comple- 
mentary observables. We shall also see that information reconciliation and privacy amplification 
can be combined to enable classical communication over noisy quantum channels. 

Finally, Chapter 6 describes the usefulness of this approach to establishing the security of quan- 
tum key distribution (QKD) . QKD is perhaps the most natural setting in which the uncertainty prin- 
ciple and corresponding issues of complementarity are immediately relevant, as the goal of this 
protocol is to establish a secret key between two spatially-separated parties, a shared piece of clas- 
sical information which no one else should know. Since the uncertainty principle can be under- 
stood as a limitation on who can know how much about what sorts of information, we shall see that 
complementarity-based arguments form the basis for the security of QKD protocols. These allow 
us to increase the security threshold, the maximum amount of tolerable noise, of several protocols 
beyond the previously-known values. 

The following table summarizes which included papers form the basis for the various sections. 
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Introduction: What is Quantum Information? 



At a stroke, Shannon's landmark 1948 publication A Mathematical Theory of Communication [6] es- 
tablished the field of information theory, laying out the fundamental lines of inquiry and answering 
some of the important basic questions. The fundamental problem, according to Shannon, "is that 
of reproducing at one point either exactly or approximately a message selected at another point." 
The different points may be different places, in which case we are interested in transmitting mes- 
sages from one party to another, such as in a telephone conversation, or they could be different 
times, and the message should be reliably stored, such as on a sheet of paper. The physical systems 
used to convey the message carry information, which is measured by the entropy in units of bits, 
short for binary digits. ^ 

The fact that abstract information must always be instantiated in some physical system and that 
this results in a connection between physics and information theory was stressed by Landauer. He 
observed this implies that logically irreversible operations, like erasure of information, are there- 
fore physically irreversible and must be driven by a source of energy [8, 9]. This was later used 
to resolve the paradox of Maxwell's Demon in which an intelligent being can apparently violate the 
second law by sorting the molecules of a gas into hot (fast) and cold (slow) [10]. Building on Szilard's 
simplification of the paradox to a one-atom gas occupying either the left or right side of a divided 
container [11], Bennett showed that the work gained by the demon is precisely balanced by the work 
needed to reset the demon's memory in a cyclic process [ 12] . It should be noted that Szilard's simpli- 
fication of the problem to a gas occupying one of two nearly anticipates the information-theoretic 
idea of a bit, also demonstrating the connections between these two fields. 

The field of quantum information grew out of this connection by asking the question: What 
happens to information processing and information theory in general when the information carri- 
ers are described by quantum mechanics? One immediate implication is the possibility of quantum 
superpositions of information states of a bit. Instead of just the usual Os and Is, which might be 
encoded quantum mechanically as |0) and |1), we can also have states of the form orjO) -1-^ |1) for 
a,l3 e C and jaj^ + [ySp — i. xhis change in structure requires us to reexamine the entirety of Shan- 
non's information theory, rather than being able to only slightly modify the results to account for 
quantum effects, as pointed out by Ingarden [13]: "The old theory [Shannon's theory] cannot be 
improved only by inserting into it some quantum formulae."^ 

By now, a new, explicitly quantum information theory has been constructed by asking many 
of the same questions as before, but answering them with the tools and methods of quantum me- 
chanics; see for instance the textbook of Nielsen and Chuang [14]. It has also been possible to adapt 
many of the techniques of usual, classical information theory to the quantum setting. For instance, 
Schumacher's result that quantum information emitted from a source can be compressed at a rate 
equal to the von Neumann entropy of the source follows Shannon's original result quite closely [15]. 
Nevertheless, in contrast to the classical case, we are still left with the question of what quantum 
information is information about. 

The core theme of this thesis is that quantum information is in a certain sense a combination 
of two pieces of classical information, information about two physical observables which are com- 
plementary in the sense first put forth by Bohr [1, 2, 3] and exemplified by the wave-particle duality 
in the double-slit experiment [5]. Moreover, this point of view is useful in understanding and con- 

1 Interestingly, Vannevar Bush had already used the phrase of "bits of information" in 1936 to describe information 
encoded into punchcards [7], though his meaning is different from Shannon's. 

^Ingarden also gives a very lucid description of the historical development of quantum information theory for the 
interested reader. 
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structing protocols in quantum information tiieory. To appreciate tliis view of quantum information 
more clearly, the focus of this chapter, it is useful to first make the notions of classical information 
concrete in the following exceedingly simple game, the information game. 

1 . 1 Understanding Classical Information via the Information Game 

The information game has two players, Alice and Bob, and begins with Bob placing a coin, either 
heads or tails, in a box, and giving the box to Alice. At some point later she asks Bob whether she 
will see heads or tails when she opens the box. Bob's goal is to win the game by correctly matching 
Alice's observation. 

Is there a strategy with which Bob can always win the game? Of course. For instance. Bob could 
always place the coin heads up in the box and answer "heads" whenever Alice comes asking. He 
could also just randomly place the coin heads up or down in the box, as long as he remembers which 
it was when Alice asks; this task of remembering is precisely Shannon's fundamental problem. To 
solve it. Bob could just write down "heads" or "tails" on a piece of paper and save it for later. In 
this sense, the paper carries information about the coin, in particular about what Alice will observe 
when she opens the box. Because there are two equally-likely possibilities. Bob could just as well 
use one binary digit, a zero or one, to remember the state of the coin. Therefore the paper carries 
one bit of information. 

Formally, Bob's choice of the state of the coin can be represented as a binary-valued random 
variable X, taking on the values "heads" and "tails" with whatever probabilities pheads and ptaiis = 
1 — pheads he decides. The state of the memory system he uses to remember the state of the coin can 
likewise be represented by a random variable, M, and a winning strategy simply has M — X for any 
choice of X. 

The amount of information stored the memory can be quantified by the Shannon entropy, de- 
fined for an arbitrary random variable Y as 



using log — log2 to measure in bits, a choice we shall make henceforth. The entropy of a random 
variable Y quantifies its uncertainty and is equal to the expected number of binary (yes/no) ques- 
tions one would need to ask about Y in order to determine its actual value y [16]. A more con- 
centrated distribution is less uncertain and makes guessing easier, and therefore has lower entropy, 
whereas the uniform distribution has maximum entropy and requires the most questions. 

To win the game, the contents of the memory must determine the state of the coin, and thus 
contain information equal to the entropy of the coin H{X). Thus, for the original winning strategy 
no information is stored in the memory at all — the memory is not even needed — as the coin always 
shows heads. Correspondingly, the entropy of this distribution is zero. In the second strategy, the 
memory stores one bit of information, since the coin is placed randomly in the box and H{X) — 1. 
For distributions in between these two limiting cases, we can imagine many playing many rounds of 
the game and the entropy gives the ratio of number of questions needed to number of rounds. For 
the distribution pheads — \> Ptaiis = |. which has entropy H{X) = 3 — | logj 7 0.54, only 54 questions 
would be needed to determine the state of the coin in 100 rounds of play. In this case each memory 
register stores roughly one-half a bit of information. 

On the other hand, given the value stored in the memory, the entropy of the coin random vari- 
able X is zero for every winning strategy. Formally, we can describe this using the conditional en- 




(1.1) 
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tropy, defined using the probability ofX — x conditional on M—m, px\m = PxmlPm ^ 

H{X\M) = Y^p^H{X\M = m), for //(X|M - m) - logp;,|„. (1.2) 

m X 

The conditional entropy can also be shown to satisfy H{X\M) = H{XM)—H[M), and we can interpret 
it as the uncertainty of X given knowledge of M. Since a winning strategy only requires M = X, it 
is easy to work out that H{X\M) = regardless of Bob's choice of X, the probability distribution he 
uses to decide whether to place the coin heads up or down. If the memory is faulty, then the stored 
value will not precisely match the state of the coin. For instance, if there is one chance in eight of 
a memory error and the coin was placed randomly in the box, then Pheads|heads = |. Ptaiis|heads — |. 
and similarly for the probability conditioned on tails. Working out the conditional entropy, we find 
H{X\M) 0.54, meaning roughly half the information about the coin has been corrupted! 



1 .2 Complementarity in the Information Game 

What changes if Alice and Bob play the game with the quantum version of coins, qubits, instead of 
classical bits? Qubits are any quantum system with two levels, which we denote |0) and for in- 
stance the polarization degree of freedom of a single photon (horizontal versus vertical polarization) 
or the angular momentum of a spin- 1 particle (angular momentum aligned or antialigned with a 
fixed spatial axis). Quantum-mechanical complementarity now comes into play and we can alter 
the game to illustrate the various effects concretely. Before doing so, let us discuss more precisely 
what is meant by complementarity, adopting the language of the wave-particle duality simplified to 
a single photon in a Mach-Zehnder interferometer. 

Thinking of light as a particle, we expect to find the photon in one or the other of the two modes. 
By placing a photodetector in each arm of the interferometer, we can determine where the photon 
is by looking to see which of the photodetectors is triggered. Let us call this the amplitude mea- 
surement. Associating the states |0) and |1) to the two modes, the amplitude measurement corre- 
sponds to a projective measurement in this basis. We may also define the amplitude observable by 
assigning values to the two possible outcomes. The usual choice comes from thinking of a qubit 
as a spin- 1 particle and using the angular momentum, and we define the amplitude observable as 
Z — |0) (0| — |1) That is, a photon in the first mode takes the value +1 and in the second —1. 

If we instead think of light as a wave, we expect there to be a certain phase relationship between 
the two arms, and in this case the light can interfere either constructively (in phase, -I-) or destruc- 
tively (out of phase, — ). To determine which, we allow the two modes to interfere at a beamsplitter 
and then check in which mode the photon emerges with a photodetector. Let us call this the phase 
measurement. Like the amplitude measurement, the phase measurement is a projective measure- 
ment, but in the basis |±) = -^(10) ± 1 1)). Again we can define a corresponding observable, the phase 
observable, which for later convenience is defined exactly as the amplitude observable, but in the 
new basis: X=\+) (+| - |-) (-|. In the original basis this works out to be X = |1) (0| -I- 10) 

Amplitude and phase are complementary properties precisely as in the double slit setup, in 
the sense that if the photon is in a definite mode, then the phase relationship is completely un- 
defined, and vice versa. This can be immediately seen from the two sets of basis states, as mea- 
surement of either eigenstate of amplitude produces a completely random outcome. At the level 
of observables, we can quantify this by an uncertainty relation. The most famous of these is the 

^We follow physicists' conventions of naming arguments of functions and expressions, so that e.g. Pm\x is the proba- 
bility ofM — m given X = x, not the probability oiX=m given M = x. 
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Heisenberg-Robertson relation relating the variances of the observables to the expectation of their 
commutator [4, 17], 

AXAZ>||([X,Z])^,|, (1.3) 

where denotes the expectation value evaluated for the quantum state \il>} of the system. In 
this case, however, the bound is trivial. Since the operators X and Z anticommute [XZ + ZX = 0), 
the righthand side reduces to |(XZ)^,|. Choosing \ip) = |0) immediately yields zero, and a simple cal- 
culation shows this conclusion holds for any possible choice of amplitude and phase observables. 

Fortunately, there exist uncertainty relations for which the bound is state-independent. In par- 
ticular, a version due to Maassen and Uffink is formulated in terms of entropy [18],^ 

H{X\,+H{Z)^>log^. (1.4) 

I |2 

The quantity c is related to the commutativity of the observables, c = maxj,^: for \ipj) the 

eigenvectors of X and those of Z, while the entropies are independently evaluated for the out- 
comes of the two observables, respectively, given that the system is originally in the quantum state 
tp . In addition to the state-independent bound, the values of the observable can take play no role 
in the measure of uncertainty, only the probabilities of the various values. This makes the entropy 
a somewhat more natural measure than the variance. In the present case the two observables are 
complementary, meaning c takes on its maximal value, 1 (for observables on a £^ -level quantum 
system Cmax = logd). Thus, the amplitude and phase measurements cannot both be certain, and 
there must be at least one bit of total entropy. 

Alice and Bob can still play the classical information game with qubits, provided Alice only ever 
makes, say, the amplitude measurement. Bob is free to prepare amplitude eigenstates at random, 
just as before. In this sense the formalism of quantum information theory encapsulates classical 
information theory, as anything we wish to express in the latter can be done by working in a fixed 
basis in the former.^ 

Now suppose we alter the game so that Alice is free to make either an amplitude or a phase 
measurement, but she does not tell Bob which. Bob can prepare arbitrary qubit states, but to win 
the game he would need to be certain of the outcomes of both possible measurements. According 
to the Maassen-Uffink relation. Equation (1.4), this is impossible. There is no quantum state lijj) 
Bob can send to Alice such that H{X)ip and H{Z)^p are both zero, and therefore he cannot win the 
game with certainty. A simple calculation shows that the best chance Bob has to win the game is 
to send Alice a state like — cos ^ |0) + sin f 1 1), which is "in between" the amplitude and a phase 
eigenstates |0) and |-|-) in that | (0|i/') I = \ {+H') I- Using Bob has a roughly 85% chance (| + ^) 
of correctly predicting that outcomes of either measurement is +1. 

1 .3 Entanglement in the Information Game 

What if, after receiving the qubit from Bob, Alice decides on a measurement at random and only asks 
for a prediction to this particular measurement? Since Bob does not know in advance which mea- 
surement Alice will perform, it would seem that this does not help. After all, he is still faced with the 

''Entropic uncertainty relations for position and momentum were first conjectured by Everett [19, 20] and 
Hirschmann [21] and proven by Becker [22]. Generalizations to arbitrary observables were made by Bialynicki-Birula 
andMycielski [23] andDeutsch [24]. Kraus [25] first conjectured the stronger form (1.4). 

^Here we consider only finite and not continuous alphabets. 
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impossible task of preparing a state whose amplitude and phase are both predictable. Surprisingly, 
however, there does exist a winning strategy! The trick is for Bob to store quantum information 
about the system he sends to Alice. Note that in the game as played in the previous section, Bob 
really only makes use of classical memory. He may store information such as how he prepared the 
state for Alice, but this is effectively a recipe for making the state and there is nothing intrinsically 
quantum about such a recipe. 

To win this version of the game. Bob should create an entangled state of two qubits A and B, 



and send the A system to Alice. Such entangled states were first by Einstein, Podolsky, and Rosen 
(EPR) [26] and later translated into this 2-level system language by Bohm [27]. EPR pointed out 
the paradoxical property that identical measurements on the two systems always produce identical 
results — the amplitude of A always matches that of B and likewise for phase — even though ampli- 
tude and phase for the individual systems cannot both be simultaneously well-defined.^ In a sense, 
entangled states display correlations even though there is nothing there to correlate! 

However paradoxical, with entanglement Bob can always win the modified game. When Alice 
asks him to predict a particular measurement, he can simply consult his quantum memory, system 
B, by performing the same measurement Alice will make. Since the results are correlated, B in some 
sense contains one bit of classical information about both the amplitude and phase of system A. 
However, only one of these can ever be accessed because Bob cannot perform both measurements 
simultaneously; being able to do so would run afoul of the uncertainty principle. This peculiar 
combination of classical information about complementary physical properties is the essence of 
quantum information. Demonstrating this more concretely will be the topic of Chapter 3. 

At first glance it would seem that this behavior violates the entropic uncertainty relation Equa- 
tion (1.4). Now, however. Bob makes use of system B, so we should consider the entropies of the 
measurements conditioned on this fact. Thus Equation (1.4) does not apply. Just such a condi- 
tional version was conjectured and proven for the particular observables under consideration here 
in [RB09] and extended to general observables in [BCC+10].^ It states 



where now we make use of the quantum conditional entropy, defined using the von Neumann en- 
tropy (the Shannon entropy of the eigenvalues of the density matrix) as H{A\B)ii, = H{AB)ii, —H{B)ii, . 
The entropies H{X-^\B)^ and H{Z^\B)^, refer to quantum conditional entropies evaluated for the 
state after the respective observable of system A has been measured. The interpretation of a classi- 
cal entropy conditioned on a quantum system is not as clear as entropy conditioned on a classical 
system, but Holevo has shown that it provides a lower bound on the classical conditional entropy 
of the stated measurement on system A given the result of the optimal measurement on system 
B [32, 33].** 

^The EPR-Bohm states were actually states of two spin-1/2 systems with total angular momentum zero, so that iden- 
tical measurements are always anticorrelated, but the point is the same. 

''Uncertainty principles involving conditional entropy were first investigated by Hall [28] and extended to the case of 
separate conditional systems by Cerf et al. [29] . Christandl and Winter [30] gave a version for quantum channels which 
was the inspiration for the work in [RB09] . A much simpler proof of Equation (1.6) using the relative entropy was discov- 
ered by Coles etal. [31]. 

^This result was first proven by Forney [34], who did not make the connection to the conditional entropy. 




(1.5) 




(1.6) 
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Although the additional term on the righthand side might appear to make the bound tighter, the 
quantum conditional entropy of A given B can in fact be negative. For example, entangled states 
such as 1$) have H{A\B) = —1 since the AB state is pure (whence H{AB) = 0) but the state of B alone 
is completely random (whence H{B) = 1). This reflects another strange nature of the EPR state in 
that our uncertainty of the whole system AB appears to be less than that of one of its parts. In the 
present context, H{A\B] = —1 implies that the righthand side of (1.6) is zero. Thus, the bound is 
trivial, and conditioned on the quantum information B, the entropy of X andZ can both be zero. 

An alternate and fully equivalent form of Equation (1.6) ensures that, even if Bob makes use of 
quantum information in the original version of the game where he has to predict both outcomes, 
no winning strategy can exist. It now involves three systems: the system to be measured, A, and two 
memory systems B and C, 

+//(Z^|C)v, >log^- (1-7) 

In order to make a prediction of both amplitude and phase. Bob would need two physical systems 
in which to store this information. Even if he uses systems B and C as quantum memory. Equa- 
tion (1.7) ensures that amplitude and phase are still not simultaneously predictable. Put differently, 
although Bob can store classical information about both properties in the EPR state, there is no way 
to separate the amplitude and phase information without losing some of each in the process. 

Note that we were able to define entropy conditioned on a quantum system via the alternate 
form of the conditional entropy expression, H{A\B) = H[AB] — H{B). In retrospect, it is extremely 
fortunate that this form exists, because even the very notion of conditioning on quantum informa- 
tion is itself suspect. After all, the very nature of quantum systems is that their physical properties 
are not well-defined, so it is unclear what one should condition on. For instance, one might also 
like to define the variance of an observable on system A conditioned on the state of a quantum 
memory, system B. But how can the presence of B be incorporated into a variance calculation? We 
could stipulate that B is to be measured, calculate the variance of A for each outcome, and take the 
average, but this leads to unwieldy expressions. In the case of entropy, the formal structure rescues 
us and allows us to meaningfully speak of uncertainty conditioned on quantum information. 
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That complementary observables play an important role in quantum information processing is not 
original to this thesis, though we shall see new, more concrete characterizations of quantum in- 
formation in terms of classical information pertaining to complementary observables and uses for 
these characterizations in subsequent chapters. In this chapter we recount several protocols in 
quantum information theory that anticipated and motivated the work presented herein. Among 
these are teleportation, where a qubit is sort of transmitted by two classical bits, and superdense 
coding, where conversely a qubit carries two bits of classical information. An even more concrete 
prior manifestation comes from quantum error-correction, which is crucial to the possibility of ever 
constructing a working quantum computer, and its use in protocols for entanglement distillation 
and quantum key distribution (QKD). This we discuss in more detail, as the structure of error- 
correcting codes will be useful in later chapters. But first we turn to teleportation and superdense 
coding. 



2. 1 Teleportation and Superdense Coding 

Teleportation and superdense coding are two simple quantum information processing protocols 
which rather dramatically demonstrate how different quantum information is from classical infor- 
mation. They also indicate a connection between quantum information and complementary clas- 
sical information. Both involve two parties, a sender Alice and a receiver Bob, who share an EPR pair 
as given in Equation (1.5). In superdense coding, Alice would like to transmit classical information 
to Bob, but using the quantum channel. One method is for both parties to fix a basis, Alice only 
sending amplitude eigenstates |0) or 1 1) and Bob only measuring what he receives in the same basis. 
This allows them to send one bit of classical information per qubit. 

However, they can do better by making use of their shared entanglement, and Alice can send 
Bob two classical bits per qubit [35]. The trick is to use the Bell basis, ^ a basis of two maximally- 
entangled qubit states, defined as follows, 

|j8;fc)^^=(X^Z*^®l)|$)^^, (2.1) 

using the amplitude and phase operators as defined in the previous chapter. For completeness, we 
again write them here, in the basis {|0) , |1)}, 

To transmit the two bits j and k, first Alice applies X^Z'' to her half of the entangled state. A, and 
then sends it to Bob over the quantum channel. Since the Bell states form a basis. Bob can mea- 
sure the joint system AB in this basis to determine j and k. In this way, one qubit of quantum 
information can be made to carry two bits of classical information. 

The classical information can heuristically be regarded as one bit of amplitude information and 
one bit of phase information in the following manner. In the original scheme to transmit one bit 
per qubit using only the amplitude basis, Alice's actions can be described as modulating an initial 
state |0) by the operator XJ , producing |1) if j = 1 and leaving the state as |0) otherwise. The same 

1 So-named as they figure prominently in the study of whether quantum mechanics permits description as a local 
hidden variable theory by John S. Bell [14]. 
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modulation scheme works in the phase basis using the operator , starting with |+). In super- 
dense coding, Alice apparently performs hoth and amplitude and a phase modulation, encoding 
two bits at once. Due to the entanglement with Bob's system, these two actions can coexist without 
interfering with each other, allowing two bits to be transmitted. 

Teleportation is sort of the inverse of superdense coding; now, preshared entanglement enables 
Alice to send one qubit to Bob by transmitting two classical bits [36] . Again the trick is to use the Bell 
basis. If Alice measures her half of the entangled state and the qubit to be sent in the Bell basis, she 
need only forward Bob the measurement results and he will be able to reconstruct the input state. 

Formally, we let C be the qubit input, in an arbitrary state h is not difficult to verify that 
^'^iPjkl (l*)"*^ lip)^] = \{Z^XiY \4>}^- This means that after Alice measures her two systems in the 
Bell basis, each outcome occurring with probability ^, Bob ends up with the state ZiX^\xp). Thus, 
Alice merely has to send Bob the two bits of information j and k, and he can apply Xi Z^ to recover 
the original state |?/^) in system B. In this way, the qubit is transmitted by two classical bits, with the 
help of preshared entanglement. 

We can heuristically think of the two classical bits as being the amplitude and phase of the input 
state for the following reason. One way to perform a Bell state measurement is to first perform 
the controlled-NOT (cnot) operation and then measure each qubit separately in the appropriate 
basis. The cnot gate acts on two qubits, applying X to the second qubit (the target) if the first (the 
control) is 1 1) and doing nothing to the target otherwise. It can be thought of as coherently copying 
the amplitude basis of the control qubit to the target, in that a superposition state a|0) +;8 |1) of 
the control qubit and a "blank" target state |0) become a|00) + ^ |11). To complete the Bell state 
measurement after applying cnot, one measures the amplitude of the target qubit and the phase 
of the control. Therefore, in the teleportation protocol, we can choose the input qubit to be the 
control and Alice's half of the entangled state as the target, and it then appears as if the amplitude 
information is first copied to the second qubit and read out, while the phase is read out from the first 
qubit, the system itself. Of course, this is not precisely what happens, or else Alice would obtain both 
amplitude and phase information of |«/)), in violation of Equation (1.7). Nonetheless, teleportation 
indicates the important role played by amplitude and phase information. 

2.2 Quantum Error- Correction 

In the uncertainty game of the previous chapter, we assumed that the quantum memory used by 
Bob was noise-free. Clearly this is an unrealistic assumption, and although not particularly rele- 
vant for a gedankenexperiment, it nevertheless raises the question of what can be done to combat 
noise is real quantum information processing protocols. The answer, in the quantum case as in 
the classical case, is to use error- correcting codes. The fact that quantum error correction exists at 
all is of tremendous importance both practically and conceptually. On the one hand it shows that 
construction of quantum computers is not in principle a hopeless task, and on the other that quan- 
tum information itself is essentially digital (discrete-valued) in nature, despite its outward analog 
(continuous-valued) appearance. Even more, the way in which the first quantum error-correcting 
codes were constructed is related to the complementarity of quantum information: Arbitrary quan- 
tum errors are digitized into amplitude and phase errors, each of which is then corrected by es- 
sentially classical means. Before delving into the details of how quantum error-correction works, 
which illustrates the point more clearly and will be of use in later chapters, we give a brief overview 
of the issue of analog versus digital computation and the important role played by error-correction 
for both classical and quantum computers. 
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Whether classical or quantum, both analog and digital devices require error-correction to con- 
trol the effects of noise inescapably present in an actual device. A simple classical error-correction 
scheme is simply to repeat the calculation three times and take the majority of the results. However, 
the error- correction procedure itself is presumably not perfect and can only be performed to some 
finite accuracy in practice. Nonetheless, following an analysis by von Neumann [37] , it is possible 
that the rate at which errors are decreased by the procedure is greater than that at which they are 
caused. 

For digital computers the finite accuracy of the procedure presents no additional difficulties in 
principle because the device anyway only requires finite accuracy; in a discrete encoding we choose 
certain continuous parameter ranges of the underlying physical degree of freedom to correspond 
to discrete logical values. Thus the nature of the encoding accords very well with the finite accu- 
racy of available operations, and errors in the latter transform into errors in the former. Analog 
computers, however, require error-correction to arbitrary precision, so the buildup of errors due to 
finite-accuracy of operations is ultimately unavoidable. That reliable digital computers can be con- 
structed from imperfect components was shown rigorously by Gacs [38], though in practice current 
devices usually require error-correction only in the storage of information, not its manipulation, 
due to the intrinsically low error-rates of semiconductor-based integrated circuits. 

Since the quantum state of the quantum computer is determined by the continuous probabil- 
ity amplitudes appearing in the wavefunction, many of the same difficulties were thought to apply 
to quantum computers, an issue pointed out by Peres [39] and stressed by Landauer [40, 41, 42]. 
Noise-induced modifications to these amplitudes leads to errors in the computation, just as in the 
analog computer, so it would seem that any advantage promised by quantum computation in prin- 
ciple cannot be achieved in practice. Worse still, even the ability to perform error-correction seems 
suspect in the quantum setting, because the information cannot simply be read out to check for er- 
rors, as in the von Neumann repetition scheme, without introducing disturbance [42] . Nonetheless, 
there was reason for optimism: Zurek observed that owing to the different phase-space structures 
involved, the kind of exponential blow-up of errors that might be expected for a classical continuous 
computer would not plague a quantum computer with a discrete spectrum [43] . 

Happily, the construction of quantum error-correcting codes by Shor [44] and Steane [45] demon- 
strates convincingly that quantum information is not analog, but digital.^ Soon thereafter it was 
established that, just as with classical digital computers, reliable quantum computers could in prin- 
ciple be constructed using imperfect components, a fact known as the threshold theorem [47, 48, 49, 
50, 51]. Unlike the situation for classical electronic computers, no medium has yet been discovered 
or engineered which offers intrinsically low quantum noise rates, though much effort is devoted to 
this question and many major experimental achievements have been made. The crux of quantum 
error-correction is that although continuous errors in the state of the computer are indeed possible, 
they can be digitized without damaging the encoded quantum information. Instead of accessing 
the quantum information directly, as one would try in a direct analogue of the repetition scheme, 
the measurements needed in error-correction are designed only to provide information about the 
error, not the encoded information. In this way the construction very subtly evades the two objec- 
tions described above. 



^Some would still dispute this. See, e.g. Laughlin [46]. 
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2.2. 1 The Complementarity of Quantum Error- Correcting Codes 

Somewhat amazingly, quantum errors of any type can be corrected if discrete errors of two com- 
plementary types, amplitude and phase, can be corrected [52, 53]. These two errors result from the 
action of the already-defined X and Z operators, respectively, acting exactly as an unwanted mod- 
ulation of the quantum state. Often these errors are referred to as bit flips and phase flips, for the 
following reason. One commonly fixes a basis and calls it the amplitude basis, and then for an ar- 
bitrary qubit state I?/') = a|0) -1-^ |1) an amplitude error resulting from an unwanted X operator just 
flips the states |0) and hence the name bit flip. Similarly, phase flips interchange the states 
and |— ), or equivalently, flips the phase of taking (a, ^) to (a,— 

Either type of error by itself could be corrected in exactly the way a classical error would be 
corrected, through repetition. To correct a single bit flip error classically, we can encode it into three 
bits as follows, 

0^0 = 000 1^1=111. (2.3) 

These two bitstrings are called codewords, and the overline denotes a logical value of the encoded 
bit, as opposed to the values of the individual physical bits. Then, if one error occurs, we can correct 
it by examining each string and flipping the one bit which is different from the other two. Equiv- 
alently, the error may be diagnosed by computing the two parities, generally called syndromes, 
si = bi® and S2 = ^2 ® where bi, bz, and are the three bit values. The syndromes asso- 
ciated to each error position are shown in Table 2.1. Note that the bit is encoded in the value of 
b = bi®b2®b3. 

Bitstring pair (0,1) Error Position Syndrome (si,S2) 



(000,111) (0,0) 

(100,011) 1 (1,0) 

(010,101) 2 (0,1) 

(001,110) 3 (1,1) 



Table 2.1: The three-bit repetition code. The first column gives the bitstrings corresponding to the 
encoded logical zero and logical one 1 after a bitflip error whose position is given in the second 
column. The third column lists the syndrome information which allows the error position to be 
diagnosed. 

Seen from a different perspective, the reason this works is that the eight possible three-bit strings 
are grouped into four pairs, as in Table 2.1. One pair is given by the codewords themselves, and the 
other pairs are the images of the codewords under the three single-bit errors. In each pair one string 
corresponds to and the other to 1 as defined by this mapping. The syndromes reveal precisely 
which pair is present, but importantly they do not reveal anything about the logical bit value. Error- 
correction corresponds to mapping the noisy pair of strings back to the original pair. 

To correct qubit bit flip errors we may simply use the same repetition code in the computa- 
tional basis. Since the syndrome and correction procedure for a given error are independent of the 
encoded information, superpositions are also maintained by the error-correcting code. Thus, the 
state Ij/;) = a|0) -1-^ |1) is encoded as = a|000) + /J |111), a process which can be implemented as 
a unitary transformation on the input and two auxiliary systems, each in some given state we can 
take to initially be prepared in the state |0). The necessary syndrome information can be generated 
by measuring the two stabilizer operators ZIZ = Z®\®Z and IZZ, which we can write as Z1Z3 
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and Z2Z3. Each of these has the same action on the two logical states in each subspace, returning 
the values (— l)^' and (— 1)^^ respectively. 

The name stabilizer reflects the fact that the code subspace is stabilized by the two operators, as 
it is the simultaneous +1 eigensubspace of both operators. The encoded subspace supports a single 
qubit, and so it must be possible to represent its amplitude and phase operators. One possibility is 
given by Z = Z1Z2Z3 and X = X1X2X3 . These each commute with the stabilizers, but anticommute 
with each other as intended. Note that Z gives the encoded bit, just as in the classical case. 

We can also think of the stabilizers and encoded amplitude operator as defining a new complete 
set of commuting observables for the set of physical qubits. Such a set fixes a basis in the state space 
of the three qubits, and each of the operators is the amplitude operator for a corresponding "virtual" 
qubit. Labeling the virtual qubit operators with primes, we can write Z[ = Z1Z2, Z2 = Z2Z3, and 
Z^= Z = Z1Z2Z3. Conjugate to the new amplitude observables are phase observables X[ = X2X3, 
X'2 = X1X3, and X3 = X = X1X2X3, which are found by ensuring that they anticommute with the 
amplitude operators of the same qubit but commute with all other operators. The entire collection 
is shown in Table 2.2. The code subspace is then defined by the first two virtual qubits being in the 
+1 amplitude state. Bit flip errors change the amplitude of the encoded qubit and at least one of the 
virtual qubits, and the stabilizer measurement determining the location of the error translates into 
an amplitude measurement of the first two virtual qubits. 

Virtual qubit Amplitude Phase 

1 ZZl IXX 

2 IZZ XXI 

3 ZZZ XXX 

Table 2.2: Virtual qubits associated with the three-qubit amplitude repetition code. Note that am- 
plitude and phase anticommute for each qubit, but commute for different qubits. 

Discretization is automatically provided by the measurement of the stabilizer operators, which 
is anyway necessary for error-correction. Consider an error operator of the form E — e^I+eiXi, with 
go. ^1 s C, which is a sort of combination bit flip error and no error on the first qubit. It produces a 
superposition between two code subspaces, 

1^') = E\^) = eo 1^) + eiXi |^) = eo [a |000) + ;8 | 111)) + £?i (a 1 100) + /3 |011)) . (2.4) 

Measurement of the stabilizer operators destroys this superposition, forcing the system to the state 
of either one error or no error, but leaves the logical qubit superposition intact. Here the measure- 
ment has two possible syndrome outcomes, either (0,0) or (1,0), with probabilities |eoP/(|eoP+|eip) 
and |eiP/(|eoP+kiP), respectively. Conditioned on these outcomes, the state becomes ji/)) orXi |i/)), 
respectively, and can therefore be corrected using the syndrome information. 

2.2.2 Correcting Both Kinds of Errors 

Since phase flips are just bit flips in the basis |±), the above analysis immediately applies to this 
case upon changing X Z and working in the new basis. The insight of Shor and Steane was to 
realize that a single error of either type can be corrected by appropriately combining these proce- 
dures. Shor's scheme is conceptually somewhat simpler, and is based on concatenating the two 
error-correcting codes. That is, we take the codewords of the phase flip repetition code and replace 
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each of the three qubits with qubits appropriately encoded in the bit flip repetition code. This pro- 
duces codewords of nine qubits, as follows (here ignoring normalization), 



1+) ^ F) - 1+ + +) = (|0) + 1 1))(|0) + 1 1)X|0) + 1 1)) (2.5) 

F) F) - (|o) + |T)Xlo) + |T))(|o) + |T)), (2.6) 

h) ^F) - I ) = (|0) - |1)X|0) - |1)X|0) - |1)) (2.7) 

F) ^\-}= m - mm - mm - m (2.8) 



The repetition in the amplitude basis in the second step protects the encoded qubit from bit flip 
errors, since a single bit flip can always be detected and corrected by applying the 3-qubit repeti- 
tion procedure to each block of three qubits. This corresponds to measuring the Z-parity observ- 
ables Z1Z3, Z2Z3, Z4Ze, Z^Zg, Z-]Z<j, and ZgZg. Phase flips are slightly more involved, but consider 
what happens when a single phase flip error plagues, say, the fourth qubit. This is the first qubit of 
the second block, so we can zoom in on this block to determine the effect on the encoded states. 
Applying the error operator Z\ to the encoded states we find Z\ |0) = Z\ |000) = |000) = |0), while 
Zi |1) = Zi |111) = - |111) = - Thus, the error causes the action 

F)-(|o) + |T)X|o)-|T)X|o) + |T)) (2.9) 
F)-(|o)-|I>Xlo> + |I>Xlo)-|T)), (2.10) 

which is precisely a phase flip at the "inner" level. We could detect and correct this at the inner 
level by measuring the X-parities X1X3 and X2X3. Translating to the outer level of actual qubits, 
we replace each of the constituent X operators on the inner level by its encoded X operator on the 
outer level and instead measure X\X2X■iX^X■iX^ and Xl^X^XgX^X■iX%. The outcomes for the dam- 
aged states are +1 and —1 respectively, for both encoded states, implying that to correct the error 
we merely need apply Z4.^ 

The six amplitude parities and two phase parities commute pairwise and stabilize the code sub- 
space. As with the repetition code, the error analysis is made simpler by thinking in terms of virtual 
qubits, in this case nine, as shown in Table 2.3. Observe that the concatenated structure is reflected 
in the operators: three copies of the repetition code in virtual qubits one through six, followed by 
the same repetition code on the three blocks. The code subspace is fixed by requiring virtual qubits 
one through six to be in the +1 amplitude eigenstate and virtual qubits seven and eight in the +1 
phase eigenstate, but this structure makes it clear that we could have defined the code the other 
way around. 

Using this framework it is easy to see that the Shor code also enables detection and correction of 
joint bit and phase errors. A joint bit and phase flip of the fourth qubit, for instance, would reveal it- 
self by the fourth virtual qubit having the wrong amplitude and the seventh having the wrong phase, 
corresponding to —1 eigenvalues of the stabilizers Z4Z6 and X:^X<^Xf^X-iX^X%. From the structure of 
the virtual amplitude and phase operators it is clear that the code can actually detect and correct 
one bit and one phase error, irrespective of their locations. 

Again error discretization is provided by the stabilizer measurement, and fortunately, being able 
to correct just these two types of error is sufficient to correct any conceivable single-site error. Just as 
with the repetition code, we can consider the effect of arbitrary errors which are linear combinations 
of all the correctable errors. Since the Shor code can correct any single flip of bit and/or phase, errors 

or Zg would also work just as well. This flexibility is actually a subtle and important feature of quantum error- 
correcting codes we shall return to in Section 6.3. 
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Virtual qubit # 



Amplitude Phase 



4 



1 
2 
3 



5 
6 
7 
8 
9 



ZZll 11111 IXXllllll 

IZZllllll XXI 11 1111 

lllZZllll llllXXlll 

111 IZZl 11 11 IXXl 111 

llllllZZl lllllllXX 

1 1 1 1 1 1 IZZ 1 1 1 1 1 IXXl 

ZZZZZZ 111 111 xxxxxx 

1 1 1 ZZZZZZ xxxxxx 1 1 1 

zzzzzzzzz xxxxxxxxx 



Table 2.3: Virtual qubits associated with the nine-qubit Shor code. Note that amplitude and phase 
anticommute for each qubit, but commute for different qubits. 



of the form E = eool + SiqXi + eoi-^i + ^ii^i-^i with ,t e C can also be corrected. But, as can be 
readily verified, any operator can be expressed in this way as a complex combination of these four 
operators, meaning arbitrary single-site errors can be digitized to amplitude and/or phase errors 
and corrected. Despite initial appearances to the contrary, quantum information is therefore in a 
critical sense digital. 

2.3 Entanglement Distillation 

Quantum error- correction quickly found use in constructing protocols for distillation of entangle- 
ment, as well as in proving the cryptographic security of quantum key distribution protocols. We 
give a brief treatment of these uses here, as they will be generalized in later chapters. 

Distilling entanglement refers to transforming imperfect EPR states into approximately perfect 
ones. For instance, if Alice sends halves of maximally- entangled states through a noisy quantum 
channel to Bob, then the states which emerge will no longer be maximally-entangled. But it may 
be possible to repair some fraction of the states by actions undertaken on Alice's and Bob's systems 
alone, plus classical communication between them to coordinate their actions. To see how this is 
done, suppose that Alice and Bob share many copies of the state 



with pjk > and j. pjk = 1, which is just a probabilistic mixture of the four Bell states. This state 
is produced, for instance, by sending the B half of the state |#) = |/Soo) through a channel which 
applies the operator X^Z*^ with probability pj^. In principle, Bob can repair the actual state ip^^ 
to the desired state by determining which of these operators was applied and subsequently 
undoing it. Thus, the task is reduced to determining the actual sequence of errors, at least for states 
of this form. 

This sounds like a job for a quantum error-correcting code, even though here Alice is not first 
encoding the qubits she sends to Bob. Nevertheless, Alice and Bob can determine the error pattern 
by each measuring the stabilizer operators of an error- correcting code. It is simple to show that, just 
as in the information game, if Alice and Bob make the same stabilizer measurements on collections 
of EPR states, then they should always obtain the same outcomes. To the extent that they obtain 




(2.11) 



jk 
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different outcomes, this indicates an error. For instance, suppose that Alice and Bob divide their 
systems into groups of three and use the simple bit-flip repetition code described above. On each 
group of three, both Alice and Bob measure the stabilizers Z1Z3 and Z2Z3 . Perhaps the simplest way 
to work out what outcomes will occur is to note the following relationship, 

1(8)£|$) = £^(8)1|$), (2.12) 

valid for any operator E, where £^ is the transpose of the operator when expressed in the amplitude 
basis {|0) , 1 1)}. Now we can calculate the effect of the product of Alice's and Bob's stabilizers on the 
ideal state. Since Z^ = Z and Z^ = l, 

Z^^Z^'Z^'Z^' |$)^2'S2 I^^AsBs j ^ |$)^2B2 |$)^3B3 ^ (2.13) 

which implies that Alice and Bob must indeed obtain identical outcomes for their stabilizer mea- 
surements since their product must be +1. The same clearly holds for Z2Z3. If there is one X error 
in the state, say in the first position, then we find using the same method 

^yll^il32-Bl2-^2 ^J5^Bl |$)^2iS2 |$)^3B3 j ^^^IJS^Ai^yli ^l^^^lBl |$)^2B2 |$)^3B3 j (2.14) 

= -X^l |$)^2B2 |$)A3i?3 _ (2.15) 

Now the state is a — 1 eigenstate of the product of stabilizers, meaning the product of syndromes is 
— 1, and hence that Alice and Bob obtain different outcomes for these stabilizer measurements. A 
single X error on the first qubit will of course not affect the Z2Z3 measurements. But together the 
two stabilizer measurements suffice to locate a single X error in the three pairs, exactly as in the 
error- correction scenario. 

The story is essentially the same for any quantum error- correcting code, so we may create a 
protocol for entanglement distillation as follows, following Bennett et al. [53] . First, Alice and Bob 
use a small fraction of their pairs in order to determine the number of each type of error X, Z, and 
XZ, simply by both measuring in the appropriate basis and recording how often they obtained the 
same outcome. The bases are just the amplitude basis, the phase basis, and the basis consisting of 
the eigenstates (|0) ± of XZ, respectively. Next, given the expected number of errors, they 
choose an appropriate error-correcting code, but if no suitable codes exist they must abort the pro- 
cedure. If a suitable code does exist, they proceed by measuring the stabilizers to determine, with 
high probability, the actual pattern of errors, which can then be corrected by local operations on 
Bob's systems. 

This does not quite leave them with the desired states |$), however, since they have made the 
stabilizer measurements. Instead, the |$) reside in the encoded subspaces specified by the error- 
correcting code, their number corresponding to the number of encoded qubits. To recover these 
states, they each apply the decoding operation (the inverse of the encoding operation) to their sys- 
tems. The above protocol is designed to work for states of the form given in Equation (2.11), but 
actually applies to any input state since the stabilizers used in the protocol will automatically digi- 
tize arbitrary errors to amplitude and phase errors. 

2.4 Quantum Key Distribution 

Quantum key distribution (QKD) provides a means for the two separated parties Alice and Bob to 
communicate in private using only public communication channels. The security of the scheme 
is based only on the laws of physics and not the perceived computational difficulty of some task. 
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like factoring large integers, as commonly used in classical schemes today Needless to say, the 
problem of private communication is ancient, but it was first put on a firm mathematical footing 
by Shannon [54] . There the task is broken into two parts, establishing a secret key between the two 
parties, a random string of bits shared by both parties, and then using it to encrypt and decrypt the 
actual messages. One can imagine Alice and Bob creating a secret key together at some point in the 
past when they could do so secretly, but if they are already separated and can only communicate 
publicly, the situation seems hopeless. They could communicate privately if they had a key, but 
they need to communicate privately to create the key. 

Quantum information offers a way out of this dilemma in the form of entanglement. Returning 
to the uncertainty game, recall that Bob can, on demand, predict either the amplitude or phase 
measurement on Alice's system when they share an EPR pair. Moreover, the uncertainty principle 
Equation (1.7) implies that any would-be eavesdropper Eve could not predict either measurement 
using her system C any better than by just blindly guessing, a property of entanglement known 
as monogamy. By measuring each of their systems in identical bases, Alice and Bob can therefore 
generate one bit of a secret key from each entangled pair. 

They can attempt to create such pairs by using a public quantum channel in the manner de- 
scribed in the previous subsection: Alice prepares EPR pairs and sends one system of each to Bob. 
If the channel is noisy, perhaps due to Eve's interference, Alice and Bob can simply first run an en- 
tanglement distillation protocol to extract the required high-quality EPR pairs. Even though this 
requires them to exchange classical syndrome information over a public channel, it does not help 
any would-be eavesdropper as the measurements on the EPR pairs are completely independent of 
this information, a fact again insured by the uncertainty principle. The usefulness of entanglement 
distillation in this context was first treated by Deutsch et al. [55] and the security of this scheme was 
first rigorously proven by Lo and Chau [56]. 

The protocol will require a large quantum memory in which to store the various systems, as well 
as the ability to perform all the necessary stabilizer measurements. We did not worry about the 
practicalities of doing so in the previous section, but luckily for QKD all of the required operations 
can be reduced to just measuring in either the amplitude or phase basis, and subsequent process- 
ing of the resulting classical data, as shown by Shor and Preskill [57] . The reason this works is that 
ultimately we want to distill EPR states but then immediately measure them in some basis to gen- 
erate the key, and this gives us some flexibility in how we describe the entire process. By picking the 
right kind of error-correction code this flexibility allows us to get rid of essentially all (difficult) oper- 
ations on quantum systems apart from measuring them individually and replace them with (easy) 
operations on classical data. 

The necessary codes are called Calderbank-Shor-Steane (CSS) codes and include the original 
codes found by Shor and Steane as mentioned in Section 2.2. Their defining property, as first de- 
scribed by Calderbank and Shor [58] and Steane [59] , is that the stabilizers of the code can be broken 
into two groups, those composed of products of X operators and those composed of products of Z 
operators. Similarly, the logical amplitude operators only consist of Z-type operators, while the 
logical phase operators only consist of X-type operators. The more general formalism of stabilizer 
codes constructed by Gottesman [60] also includes codes whose stabilizers and logical operators 
are of mixed type, but importantly, these cannot be used for the present purposes. 

Consider the QKD scheme above using a CSS-based entanglement distillation scheme to correct 
for noise in the quantum channel. The entanglement distillation part proceeds in two steps, the first 
involving measurement of the Z-type stabilizers, which give Alice and Bob information about the 
bit errors, and the second involving the X-type stabilizers, which give information about the phase 
errors. Now assume that the key is generated by measuring, in the amplitude basis, each half of 
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the pairs output by the decoding step of the distillation protocol. This is equivalent to skipping 
the decoding step and instead measuring the logical Z operators directly. But in a CSS code these 
operators are composed entirely of products of Z operators on the individual qubits, and one can 
reconstruct the value of any desired product from the collection of all the individual outcomes. 
Knowing Zi, Z2, and Z3 enables us to calculate Z1Z2Z3, for instance. 

Thus, Alice and Bob could generate the outcomes of measuring the logical amplitude operators 
as well as all the Z-type stabilizers by first measuring each of their respective qubits in the amplitude 
basis and then forming the appropriate products of the outcomes. However, the X-type stabilizers 
cannot be generated in this way; in fact, all phase information will be destroyed by making ampli- 
tude measurements. The crucial fact is that Mice and Bob do not need the X-type stabilizers at all. 
Intuitively this makes sense, as these stabilizers give information about phase errors, but Alice and 
Bob only care about amplitude information. 

The protocol now proceeds as follows. Alice transmits halves of entangled pairs to Bob, and a 
random subset are used to estimate the rate of bit and phase errors in order to choose an appro- 
priate CSS code, while the rest are immediately measured in the amplitude basis. Just as in the 
entanglement distillation protocol, if no suitable code exists because the noise rates are too high, 
they must abort the procedure. If one does exist, Alice proceeds by constructing the Z-type stabiliz- 
ers according to the chosen code and transmitting them to Bob, who corrects the amplitude errors. 
They then forget about the phase stabilizers and each constructs the outcomes of measuring the 
logical amplitude operators for use as the secret key. 

From the outside there is no way to teU if Alice and Bob have performed the above procedure 
or actually measured the X- and Z-type stabilizers directly. Although the phase information has 
not been exchanged, correction of the phase errors is nevertheless possible in principle. Therefore, 
the procedure inherits the security of the Lo and Chau protocol in which Alice and Bob actually do 
create EPR pairs. 

In contrast, from Alice and Bob's point of view, the key is created by two classical information 
processing protocols. First, Alice sends Bob the stabilizer information which enables him to correct 
his observed amplitude measurements to match hers. This step is referred to as information rec- 
onciliation since the goal is to reconcile Bob's amplitude information with Alice's. In the next step 
they use the logical operators to construct a function of the amplitude data, which serves as the key. 
Due to the entanglement-based picture of the protocol, this has the effect of extracting that part of 
the amplitude data which is completely uncorrelated with any eavesdropper, and this part of the 
protocol is termed privacy amplification. We can think of the amplitude measurements as a sort of 
raw key which is then distilled to a truly secret key by running these two protocols in succession. 

Remarkably, we can also remove the need for entanglement entirely. Suppose that in the above 
protocol Alice immediately measures her halves of the EPR states as she sends the other halves 
to Bob. These measurements essentially prepare amplitude and phase basis states in the systems 
underway to Bob. For instance, if her amplitude measurement is |0), Bob's system is now in the 
state |0), and so on. Originally Alice and Bob agree in advance which observable to measure for 
each qubit, but suppose instead that they each make a random choice. Half the time they choose 
the same basis, and these outputs are "sifted" out by public announcement of the bases and kept 
for use as the key and for error estimation. 

From the outside there is no way to tell if Alice measures her system after the transmission, so 
that she is distributing half of an entangled pair, or before, so that she is randomly preparing am- 
plitude or phase eigenstates for Bob to measure. Thus, just as the classical key distillation scheme 
inherits security from entanglement distillation, the prepare and measure protocol inherits security 
from the EPR based version. In fact, this prepare and measure scheme is the original QKD protocol 
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proposed by Bennett and Brassard [61] and known as BB84; the connection to the version using en- 
tanglement was noted by Bennett, Brassard, and Mermin [62] . Shor and Preskill prove that the BB84 
protocol is secure using the reduction of entanglement distillation to information reconciliation 
and privacy amplification using CSS codes and the reduction of an entanglement-based protocol to 
a prepare and measure protocol. 
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In the information game of Chapter 1 we made use of the fact that EPR pairs have the property that 
measurements of either amplitude or phase on one subsystem are entirely predictable using the 
other subsystem, and we argued that this property is central to the notion of quantum information 
itself. Here we make good on this claim by showing the converse is true, amplitude and phase pre- 
dictability implies entanglement, as well as providing two other characterizations of entanglement 
based on complementarity and showing how these can be extended to characterizations of secret 
keys. 

The present chapter is divided into four sections. The first presents the converse as stated above. 
Specifically, following [RB08], we show that if there exist measurements on Bob's system which pre- 
dict Alice's amplitude and phase measurements with low error probability, then Bob can adapt these 
measurements to create a new system forming an approximate EPR pair with Alice's system. Es- 
sentially this is done by coherently performing both measurements in succession, as depicted in 
Figure 3.1. 

Our approach was inspired by Koashi's complementary control scenario [63] in which Bob either 
tries to guess Alice's amplitude information or somehow help her to prepare a phase eigenstate, 
and we remark on the connections below. Furthermore, the entanglement recovery procedure is 
useful in several other scenarios, such as approximate quantum error correction and the quantum 
information processing protocol known as state merging. 

In the second section we give two other sufficient conditions for entanglement recovery using 
the uncertainty principle, recounting the results of [Ren 11]. Again amplitude and phase information 
play the decisive role, but now the conditions involve a third system. In the first of these, entangle- 
ment is implicitly present in the systems shared by Alice and Bob if the amplitude measurement is 
predictable with low error probability using Bob's system, but high error probability using any other 
system. In the second, entanglement is present if both amplitude and phase are unpredictable in 
this sense using any other system. These conditions are not as constructive as the first, and instead 
rely on a powerful method often used in quantum information theory called decoupling. 

The third section modifies a result of [RB09] and details how the three characterizations above 
can be formulated in terms of conditional entropy. Finally, by appealing to the uncertainty prin- 
ciple, we can make a slight modification to the entanglement recovery procedure to instead create 
private states, which are the most general quantum-mechanical description of secret keys. Indeed 
this was actually the original motivation of [RB08]. 



3. 1 Amplitude and Phase Predictability & Entanglement 

Let us now specify the setup under consideration more formally. Our two parties Alice and Bob are 
located some distance apart and each have a technologically-advanced laboratory in which they can 
manipulate quantum systems. Suppose now that Alice and Bob share a generic bipartite quantum 
state ip"^^. Without loss of generality this state is the AB subsystem of a pure state lip)"^^^ for E 
the "environment". 1 We can express this pure state in two ways by expanding Alice's system in the 
amplitude or phase basis, 

\^f''=t.s/p'.\^)''\^^f' and l^r^^Xy^l^)^!^-)'^- (3.1) 

z=0 x=0 
^In the context of the pure state \ ip)^^^ , ip^^ denotes the marginal state of the AB system. 
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Figure 3.1: The quantum circuit enabling entanglement recovery from a bipartite state ip^^ by Bob, 
when he can approximately predict measurement of either conjugate observable X or Z by Alice. 
It proceeds in three steps. First, Bob coherently performs the measurement allowing him to 
predict Z, storing the result in auxiliary system Cz (unitary Ujf^). Next, he coherently performs 
the measurement allowing him to predict X, storing the result in auxiliary system Cx (unitary 
U^_^). Finally, to recover a maximally entangled state in system Cz, he applies a controUed-NOT 
gate, with control Cz and target Cx (unitary Uc^ot')- This procedure also leaves Bob holding the 
original input state ip^^ in systems Cx and B. 



Here \z) denote amplitude eigenstates according to Z|z) — (-1)^ \z) and similarly \x) denote phase 
eigenstates according to X|x) = (—1)^ \x}. The states \tpz}^^ and l'^^)^^ are normalized pure states, 
but otherwise arbitrary; pz and qx are the probabilities that Alice obtains the outcome z and x for 
amplitude and phase measurements, respectively. 

If Alice makes the amplitude measurement corresponding to the observable Z on her system, 
Bob can attempt to match her outcome by performing some generalized measurement on his sys- 
tem. This measurement is described most generally by a positive operator valued-measure (POVM) 
^Z: which consists of elements positive semidefinite operators such that A^ = 1. The prob- 
ability that he can correctly guess her outcome is given by 

1 1 

Pguess[Z^l^i)^ = Y,^r [(i^ ® Af ) = X P-Tr [Af (/.f ] , (3.2) 

z=0 z=0 

where Pz is the projector onto the amplitude state \z}, i.e. Pz = \z} {z\. The subscript on the guessing 
probability denotes which state we should use to evaluate it. To predict Alice's phase measurement. 
Bob would use a different POVM ^x with POVM elements Fx ■ His guessing probability is 

1 1 
Pguess(X^I^^)v, ^X^r [(^® '/''^l =Z^-Tr [rf #f ] , (3.3) 

x=0 x=0 

where now Px is the projector onto the phase state |x). 

3.1.1 Approximate Entanglement Implies Approximate Predictability 

Given the EPR state | $)'*^ , we saw in Chapter 1 that Bob can perfectly predict Alice's amplitude and 
phase measurements. Before moving on to the converse, we can strengthen this to an approximate 
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condition, that if Alice and Bob share a good approximation to 1$)"*^, then the amplitude and phase 
measurements are approximately predictable in that Bob's error probabilities are small. The trick is 
to choose the correct notion of "good approximation". Such approximate conditions are important 
in considering practical scenarios, since Bob's prediction of Alice's measurement outcome will never 
be perfect. For the same reason, they ensure that the idea that predictability of complementary 
information is what counts for quantum information is truly a physical statement, not merely a 
mathematical curiosity of the theory. 

If we want the resulting error probabilities to be small, a natural choice is to demand the trace 
distance between the state Alice and Bob actually share, tp"^^, and the ideal state ^'^^ be less than 
some prescribed approximation parameter e. The trace distance between any two states p and a is 
defined as |||p — cr||^, where ||M||i = Tr-^M+M for any operator M. The reason this is an appropri- 
ate choice stems from the fact that the trace distance cannot increase under quantum operations 
such as measurement, and that the guessing probability is directly related to the trace distance of 
the measured state. More generally, the trace distance between two states is also related to the max- 
imum probability that the two states give different outcomes under any possible measurement.^ 
Thus, for small trace distance, the two states behave essentially identically under any possible mea- 
surement. 

Using the trace distance we can show that for approximate EPR pairs amplitude and phase are 
approximately predictable. Suppose that | — $"^^11^ < e and imagine both Alice and Bob per- 
form the amplitude measurement on their respective systems. If were the actual state, the result 
would be ^z^z" = I Pz^Pz' where we use the observable Z^, respectively Z^, to denote that the 
state has been measured and to specify which measurement has been made. For ip^^ they obtain 
ipz^z" — p^Tr[P^, ^^]P^ ® P^,. Computing the trace distance, we find 



z,z' 

^lZli^-.-'-^^Tr[Pj?V'f]|. (3.5) 

z,z' 

which is just the variational distance between the ideal distribution and the actual distribu- 

tion PzTr[P^^(/7^]. But the variational distance can also be expressed as follows 

lY^ll^^.^' - P-^^^Pz''fz^\=^^ Z |i^^,z'-PzTr[P^>f]|, (3.6) 

z,z' [z,z')eS 

where S is any subset of the pairs [z,z'). Choosing S = iz,z') for zy^z' gives 



zj^z' 

= l-Pgaess{Z^\Z%. (3.8) 

The latter expression is a slight abuse of notation, using the observable to denote Bob's measure- 
ment. Because the trace distance cannot increase under the measurement, pguess{Z^\Z^)ii,: >l — e. 
The same conclusion holds for the phase measurement, PguessiX^\X^)xi! > 1 — e. 

^See, e.g. [14] for an excellent introduction to and explication of the basic results in quantum information theory. 
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3.1.2 Approximate Amplitude and Phase Predictability Implies Entanglement 

Now we can state and prove the converse, that approximate amplitude and phase predictability 
implies entanglement. We first establish a lemma which will also be used in the subsequent entan- 
glement characterizations. 

Lemma 1. Given a state = ./p^\z)'^\ipz)^^ , let\xp)'^^^^ be the identical state with system 
Cx replacing A, and define |j/'z)^'"^^^ = VPlI-^)"* l'^)*^^ IVz)^^- If there exist partial isometries 
C/f ^^^^ and [/2^^«^CzC^B ^^^^ ^^^^ 

^c^«^(V'z|f/f^''^''|i/')^''''>l-ei, and (3.9) 
(^^^($1 ^^^^(i/'l) C/f ^^^^^^^ liPzf'^''''' > 1 - £2, (3.10) 

then for f/»-CzCxB = ^CzB^CzCxB ^b^CzB ^^^abe^ 

\ |||$)^"^^ - u^^CzC^^ V\))^^^\^ < /2e~i + s[2e2. (3.11) 

Proof. The fidelity F{il>, cp] = {iplcp) between two pure states gives an upper bound on their trace 
distance, Hli/) — 1|^ < ^ 1 — F{il>, 0)^, so that fidelity greater than 1 — e translates into trace dis- 
tance less than VZe. Since the trace distance is invariant under unitaries and partial isometries, the 
lemma follows from the triangle inequality. □ 

Theorem 1. /f Pguessl-^"^!-^/))/' > 1 - f i and p^uess{^^\-^i)ip > 1 - ^2 for some measurements 
and .Jl^ on a state ip^^, then there exists a partial isometry [/^-•CzCxB such that 



\ \x\}f''^^ - [/^^^CzCx < /2ei + V2e^. (3.12) 

Proof We use the measurements to define the two isometries required for Lemma 1. For the first 
isometry U^'^^^^ we may use the coherent implementation of the measurement ^J^, which stores 
the measurement result in system Cz- Performing the measurement coherently produces the state 
^ , which without loss of generality takes the form 

[/™|^r^^Xy^|.)^|z')"^V^|^.)"^ (3.13) 

z,z' 

Now compute the overlap of this state with the state \ipz)^'^^^^ - l-z)^^ \fz)^^, which 

would be the ideal output of the coherent measurement process. 

(rP^lU^-CzB^^^ABE ^J^^^^^^^^^^^^j,^ (3.14) 

z 

>^pA^z\A^,\^zf'' (3.15) 

z 

= Pguess(Z^l^z)V'- (3.16) 

using the fact that a/A > A for < A < 1. Hence, we have the first condition of Lemma 1. 
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For the second, let i/^-^c^b ^^le partial isometry which coherently implements the measure- 
ment storing the result in system Cx- Coherently measuring \ipz)^'^^^^ gives 

z 

Z X 

= l^^""' Y.'^-ir /q'xlx') v^l#x)^^ . (3.19) 

x,x' 

Here we have made use of the algebraic relationship between the two bases. Ideally the output 
would be the state 

z X 

and computing the fidelity between the ideal and actual outputs gives 

ACzCBE^^^^^yB^CxB^^^^ACzBE ^1 ^ /^i-ir^''-''"Hx"\x'} {^,''\ ^A^x)"'' (3.21) 

= Y,cix{^x\/rf\f,f'' (3.22) 

X 

>J^qx{^x\r^Wx}'"' (3.23) 

X 

= Pguess(X^I^^)^. (3.24) 

We may also express lip'^f^^^'"'^'^ as 1^)"^ l^f"" i^''^'^'' lipf'''^^, and therefore applying a 

control-NOT V^^not^ with Cz as the control and Cx as the target to the ideal output gives l^)^*^^ 
Since the fidelity is invariant under partial isometrics, the second condition of Lemma 1 holds for 
jjCzB^CzCxB ^ y^CzCx yB^CxB^ completing the proof. □ 

3. 1 .3 Further Uses of the Entanglement Recovery Operation 

We originally introduced the environment system E as the purification of the joint state held by Alice 
and Bob, but of course we can look at it the other way around; generically Alice and Bob jointly hold 
the purification of system E. However, our entanglement recovery operation has done more than 
just recover entanglement, as it reveals that when Alice's amplitude and phase measurements are 
predictable by Bob, he implicitly holds the purification of E by himself. This follows because the 
recovery operation also produces (a good approximation to) the state li/))^^^^, which is identical to 
the initial state except system A is replaced by Cx, held by Bob. In the following chapter we shall use 
this property to construct protocols for state merging, in which Alice attempts to merge her state 
with Bob by using classical or quantum communication. 

Theorem 1 may be regarded as giving necessary and sufficient conditions on the existence of 
an approximate quantum error-correction scheme: Approximate error correction is possible when 
amplitude and phase information can each approximately be recovered. The schemes discussed 
in Chapter 2 based on quantum error-correcting codes were perfect in the sense that the input 
quantum state can be perfectly recovered if the error is of the correctable type. Approximate error- 
correction sets the more modest goal of only recovering the input approximately. 
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Entanglement recovery is relevant to this goal because we can always mimic the initial single- 
system input to the error-correction problem as half of an EPR pair, the other half of which is then 
measured in an appropriate basis. The basis is given by complex conjugating the coefficients of the 
original basis, which follows because the EPR state can be written as \^)^^ — "^S; 
any basis {\^j) = ^jo \0) + ^ji |l)}]=o' where = ?*o + This was precisely the method used 

in reducing the QKD scheme based on EPR pairs to one involving only preparation and measure- 
ment of single systems. From this line of reasoning it follows from a result of Schumacher [64] that 
if entanglement can be approximately recovered by the scheme, then the approximation parameter 
sets a lower bound on the average fidelity with which single systems can be recovered by the same 
procedure. 

In the preceding analysis, we have assumed that Alice's system is a qubit, whereas Bob's system 
is arbitrary. But the result may be easily extended to the case that Alice holds a d -level system by 
using the more general amplitude and phase operators defined by 

d-1 d-1 

X = ^\kei}{k\ and Z = ^e^''''''''\k}{k\. (3.25) 
k=0 k=0 

Often these are called the Weyl-Heisenberg operators, as they have similar properties to the po- 
sition and momentum operators of continuous-variable systems. Here the crucial point is that 
the algebraic properties of the amplitude and phase operators used in Theorem 1 hold for higher- 
dimensional systems as well. In the sequel, we shall continue to specialize to the qubit case. 

3.2 Duality & Decoupling 

The uncertainty principle Equation (1.7) establishes a tradeoff in how well Alice's amplitude mea- 
surement can be predicted using system B and how well her phase measurement can be predicted 
using system E. In the previous section the sufficient conditions for entanglement were of the for- 
mer type, but the tradeoff suggests that we might to be able to find sufficient conditions of the latter 
type and focus instead on what information system E does not have, rather than what information 
system B does have. Concentrating on lack of information and building protocols by destroying 
correlations is the essence of the decoupling approach to quantum information processing, which 
goes back to work on approximate error-correction by Schumacher and Westmoreland [65] and 
has found wide application to constructing information processing protocols such as state merg- 
ing [66, 67] and noisy channel coding [68, 69, 70, 71] that we shall encounter in Chapter 4? 

In the decoupling approach one tries to show that Alice's system is completely uncorrelated with 
system E in order to infer that Bob's system is entangled with Alice's. Here, however, we shall be able 
to show that it suffices for this purpose to ensure that E has no information about Alice's amplitude 
or phase. This reflects our main theme that what really counts in quantum information is classical 
information about complementary observables. Part of the appeal of decoupling is that it allows us 
to avoid the problem of constructing the isometrics needed for Lemma 1. Instead, the isometrics are 
automatically constructed by appealing to Uhlmann's theorem on the relationship between fidelity 
of mixed states and that of their possible purifications. 

However, from the uncertainty principle we are only entitled to expect that if is predictable 
from B, then X"^ is unpredictable from E, but not the converse. Were the converse true in general, 

^The decoupling approach has also been extended to quantum channels, instead of quantum states as described 
here, in [72,73,74, 75,76]. 
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we could immediately establish that lack of information in E is sufficient to imply the presence of 
entanglement because it would imply the conditions we already have in Lemma 1 and Theorem 1. 
Absent the converse, it is not immediately clear that this approach will work. 

Note that the converse does hold if it happens the state \il>)^^^ saturates Equation (1.7), so that 
H{Z^\B)i^, + H{X'^\E)ip = 1. Two separate sufficient conditions for equality in the uncertainty prin- 
ciple are derived in [RB09], and these take the simple form PguessC^'^l-B)^ = 1 and Pguess(-^'^|£')i/j — 1- 
Equivalently, each of these conditions implies the complementary form H{X^\B] + H{Z^\E) = 1 
is trivially saturated, since either H[X^\B) = and thus H{Z^\E] = 1 or H{Z^\E] = and thus 
H{X^\E] = 1. Luckily, it turns out that due to the structure of Lemma 1, either of these two equality 
conditions can be satisfied without loss of generality to the entanglement criteria. We shall make 
use of both in the two results presented next. 

First, we need to formally characterize the unpredictability of measurements on Alice's system 
when making use of the purification system E. The most straightforward approach would be to 
say that the associated guessing probabilities are small, even for the optimal measurement. How- 
ever, optimal measurements are quite often difficult to specify in quantum information theory. To 
sidestep this problem, we may instead use the following quantity, 

PsecureiZ''\E]^^l-l\\lp^''^-ll^®llj%, (3.26) 

and say that E has no information about Z"^ when Psecure(Z"*|£')i/' is nearly one. Another possibility 
would be to phrase matters in terms of the conditional entropy, stating that H[Z^\E) is large. It turns 
out that such an entropic condition implies that of Equation (3.26) and we shall return to this point 
in the next section. 

Abound on PsecuieiZ^\E]ii, also implies a bound on the guessing probability, as follows. Suppose 
system E is measured with some POVM = {A^}. The probability distributions of measurement 
outcomes on the real and ideal states are pz,z' — Pz^A^^'^z^ and p'^ ^, — ^Tr[A^,ip^], respectively. 
For the variational distance we find 



iJ^lPz,.' - P'z,z'\ > - Pz.. (3.27) 

z,z' z 

= (P-Tr[Af ] - |Tr[Af vp^]) (3.28) 

z 

- |pguess(Z^I^|)V^ - i (3.29) 

and therefore Psecuie[Z^\E)ii, > 1 - e implies PguessiZ^\^i)ii! <\ + 2e for any measurement 
Observe that the quantity Psecure also implies the outcome of the measurement is nearly random. 
This accounts for the name 'secure' since effectively this means Alice can generate a secure secret 
key bit by this measurement. 

Now we are ready to state the new entanglement conditions. The first says that Alice and Bob 
implicitly share entanglement if Alice's amplitude measurement can be predicted using B but not 
E. This is almost the same as saying that Alice and Bob can generate a shared secret key from their 
state, a point we return to in Section 3.4. 

Theorem 2. //"psecure(Z'^|£')^, > 1 — 62 andpguess{Z^\-^z^ii< > I — ei for some measurement .Ji^ , then 
there exists a partial isometry [/b^CzCxB ^uch that 

\ \,'^)^'^^ - u^^^CzCx < yiel. (3.30) 
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Proof. From the proof of Theorem 1, the first condition of Lemma 1 is fulfilled for ^ the co- 
herent implementation of the measurement ^J^. For the second condition, consider the implica- 
tions of Psecure(Z^ I > 1 - 62 for the State \ipz)^^^'^^- Since tracing out CzB from Ij/'z)'*"^''^^ gives 
the same result as measuring the amplitude of the state we have 

l\\ipj''-^l^®iP%<e2. (3.31) 

The trace distance gives a lower bound to the fidelity, so that 

f(?/)|^,|1^(8)j/»^) > 1-62. (3.32) 

By Uhlmann's theorem, the fidelity of two mixed states is identical to the largest fidelity of their 
possible purifications. Two possible purifications of the two states in question are \ipz)^^^^^ and 
^^^ACz ^^^CxBE ^ and since all other purifications are related by isometrics involving the purifying 
system, we have 

(^^^($1 ^^^^^^^ IV'z)^''^'''' > 1 - 62 (3.33) 

for some 

uCzB^CzCxB j^^^ is the sought-after second condition and completes the proof. □ 



Observe that although Theorem 2 calls for psecuieiZ^\E)ip to be large, we actually apply this 
condition to the state ji/'z)'^^^^^ for which pguess (-^"^ I Cz 5) = 1. Therefore the uncertainty relation 
H{X^\CzB)^,+H[Z^\E)ii, = Iholds, and we are essentially able to trade large psecuieiZ'^\E]ip for large 
PguessC^"^ I Cz5)i/> as is needed for Lemma 1. Indeed, it follows from the discussion prior to Lemma 1 
that the following is an immediate corollary to Theorem 2. Using the isometry jjb-^CzCxB define 
the measurement = ^ifiB^CzCxBpCz ^b^CzCxB-^^ 

we have 

Corollary 2. If p^ec-aie{Z-^\E)ii, > 1 - e and Pguess{Z^\-^i)ip — 1 for some measurement , then 
there exists a measurement .Ji x such that pgaess{X^\-^x^ip > 1 — V2e. 

This is Theorem 4.2 (a) of [Ren 11]. Note that we have dropped the explicit use of | j/^z) by stipulating 

that Pguess(Z^I^|V = l. 

Continuing the trend of denying information to E, we might hope that Alice and Bob share 
entanglement when the amplitude and phase are unpredictable using E. However, a simple coun- 
terexample shows that this cannot be true in general. Define lip)^^^ — -^(10) + z ll))"^ (8) |(^)^^; here 
Alice's system is an eigenstate of the observable XZ. Due to the product structure, both and 
X-^ are unpredictable using either E or B. This is to be expected in light of the preceding discus- 
sion on the need to saturate the uncertainty principle. One way to avoid this problem is to re- 
quire that not only is the amplitude measurement unpredictable using E, but the phase measure- 
ment is unpredictable using E even assuming E could predict the amplitude. Formally, we require 
Psecure(^'^|C'z£)i/iz to be large, which again involves the state \xpz) that saturates the uncertainty 
principle, though this time Cz is joined with E, not B. 

Theorem 3. /fpsecureC^"^ I Czfji/Jz > 1 - (ind Psecure(^'^|£')i/) > 1 - £2- then there exists a partial 
isometry [/b^CzCxB such that 
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Proof. From tiie proof of Theorem 2, the second condition here implies the second condition of 
Lemma 1 is satisfied. To show the first, consider the implications of Psecure(^'^|C'z£)i/)z > 1 — ei for 
the state \ipz)^'"^^^ ■ We may express the state as follows 



\H'z) 



ACzBE . 



\BE 



X z 
X z 

X 

Defining \ri^f^^^ = {Z^'f^ \x\)f^^^ and = | Y.x have 

1 - Psecure(X^I Cz£)v,z = ||| | ^ '^^ ^^'^ ® ^x^"" " ® ^""^^ 

x 



iCz-E _ *nCz£ II 
Ix I 111' 



(3.35) 
(3.36) 
(3.37) 



(3.38) 
(3.39) 



r^CzE _ ^CzE 



But since the trace distance is invariant under unitary operations, in particular (Z^ , 

||)7^f ^ — }7*^2^||j for all x,x'. Observe that rj^^E — ijj^^^ since the random phase flip has the effect 
of "measuring" the amplitude of Cz- As |J7o)^^^^ - \ip)'^^^^, we can therefore infer that |||«/^'^^^ - 
'/'z^^IIj < ei, orequivalently — i/i^^IIj <ei. Converting trace distance to fidelity and applying 

Uhlmann's theorem, we find there exists an isometry U^^'^^^ such that 



Thus, the first condition of Lemma 1 is satisfied, completing the proof. 



(3.40) 
□ 



Again, the resulting isometry can be used to define the measurement in the following, 
which is Theorem 4.2(b) of [Renll]. 

Corollary 3. If Pf,ec\iie{^^\E)ip > 1 — e and Pguess{Z'^\-^i)ip = 1 for some measurement .Ji^ , then 
there exists a measurement such that Pguess 

Figure 3.2 illustrates the contents of Theorems 1, 2, and 3 by indicating which system must have 
what kind of information, or lack thereof, in order to infer the presence of entanglement between 
Alice and Bob. 



3.3 Entropic Characterizations 

As advertised after Equation (3.26), another possible formalization of "unpredictability" is using 
the conditional entropy: The amplitude measurement outcome Z-^ is unpredictable using E when 
H{Z^\E) is large. Owing to the connection between conditional entropy and the quantity Psecure 
given by the following lemma, we can establish entropic conditions on entanglement from the re- 
sults of the previous section. This was partially investigated in [RB09] . 

Lemma 2. //H(Z^|£)^, >l-e^, then Psecum[Z^\E)^ >l-e. 
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Theorem 1 Theorem 2 Theorem 3 

Figure 3.2: Graphical depiction of the contents of Theorems 1, 2, and 3. All three theorems specify 
conditions under which Alice and Bob can transform their shared state ip^^ into a collection of 
EPR pairs using only local operations. Theorem 1 shows this can be done when both the amplitude 
and phase of Alice's system are correlated with Bob's system in that he could reliably predict either, 
depicted by the blue (amplitude) and red (phase) lines joining Alice and Bob. Theorem 2 shows 
that amplitude correlation with Bob and ancorrelation with the environment leads to the same 
conclusion. Finally, Theorem 3 establishes that appropriate uncorrelation of both amplitude and 
phase suffices to infer that the Alice-Bob system to be entangled. 

Proof. The proof relies on the connection between relative entropy D(p||(7) of two states p and a 
and trace distance between them, in particular the bound ||p — cr||^ < D[p\\a) [65]. This may 
be more conveniently expressed as |||p — cr || ^ < ^ D{p\\a). By direct calculation it is easy to show 

D [xl)f^ III 1^ (8) i/'^) = 1 - H{Z^\E]^i, . (3.41) 

Using the bound on H{Z^\E)ii: and the definition of Psecure[Z'^\E]ii, completes the proof. □ 

Theorem 4. Given any of the following pairs of conditions, 

(1) H{Z^\B)^<e\, (2) H{ZA\B)^<€\, (3) H{XA\CzE\„>1- e\, 

H{X^ \B)^<el HiZ^ \E\,>l-el H{Z^ \E)^>l-el 

there exists a partial isometry [/^^CzCxS such that 

\ |||$)^^^ - u^-'^CzC^ \^)^^^\^ < \/2e~i + ^[2e2. (3.42) 

Proof Using Lemma 2 for the last pair, we can apply Theorem 3. But since H{Z^\B)ii, = H{Z^\B)^,^, 
(1) and (2) each separately imply (3) by the uncertainty principle Equation (1.7). □ 

That the first pair of entropic conditions implies that Alice and Bob share entanglement is a 
variation of a related result found by Christandl and Winter that quantum channels are useful for 
transmitting entanglement if they could be used to reliably transmit classical amplitude and phase 
information [30] . The fact that the first pair of entropic conditions in Theorem 4 are sufficient for 
systems A of arbitrary dimension is actually somewhat surprising, as it is known that just because 
the conditional entropy H{Z^\B) is small does not imply that there exists a measurement such 
that H{Z^\Ji^) = H{Z^\B), let alone that the guessing probability Pguess{Z^\-^z^ is large. In fact, 
Ruskai has shown that Bob's conditional marginal states must all commute pairwise for the condi- 
tional entropy to be achievable [77] . 
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The gap can be simply illustrated by the following example implicitly given by Holevo [78] , in 
which Bob's state conditioned on Alice's amplitude basis measurement is a randomly-selected am- 
plitude or phase eigenstate, 

3 
t=0 

for |(/?o) — |0), — \ip2) — \+), and |(/?3) — |-). By direct calculation we find H{Z^\B] — I, where 
nowZ"* is any non- degenerate observable diagonal in the \z) basis. On the other hand, a derivation 
by DiVincenzo et al. [79] using the Maassen-Uffink uncertainty relation Equation (1.4) shows that 
the optimal measurement is such that H{Z^\M^) = |. The optimal measurement can also be 
found by exploiting the group covariance of Bob's states and appealing to a theorem of Davies [80] . 
Nonetheless, fulfilling both entropy conditions evidently circumvents this issue, as the necessary 
measurements are defined by Corollaries 2 and 3. 

3.4 Secret Keys & Private States 

With a very slight modification, we can extend the results above to give necessary and sufficient 
conditions on the ability to extract a secret key instead of an EPR pair from the state ip^^ . In Sec- 
tion 2.4 we discussed the fact that EPR pairs can be used to create secret keys, but entanglement of 
this form is not actually necessary, a fact first observed by Aschauer and Briegel [81]. Instead, bi- 
partite quantum states which are capable of producing secret keys are called private states and their 
general form was established by Horodecki et al. [82] . In this section we show that just like entan- 
glement, knowledge of complementary observables plays a decisive role in characterizing private 
states. 

Private states have two defining features, as alluded to prior to Theorem 2. First, the key mea- 
surements by Alice and Bob clearly must produce identical results. Second, the key should be com- 
pletely random and uncorrelated with any third party, i.e. a would-be eavesdropper Eve. Without 
loss of generality we can assume that Alice and Bob have two systems each. A, A' and B, B', respec- 
tively, and the key bit is generated by amplitude measurements of A and B. If they start with any 
other state having only systems A' and B', they can coherently perform the key generation mea- 
surements and store the result in the amplitude of systems A and B, respectively. Horodecki et 
al. [82] give the following characterization of ideal private states, whose proof we include here for 
completeness. 

Theorems (Horodecki etal. [82]). tpAA'BB' is a private state iff there exists a twisting operator u^^'^' 
of the form u^'^' — X!z=o 1^) (■^1'^ ® yA'B' j^fj^j^ unitary such that for some E,^'^' , 

^AA'BB' ^ ^AA'B' (^^AB ^ ^A'B'>^ U^^A'B'^ (3 44) 

Proof. Consider a purification of a private state. By the first requirement, it must have the form 

^^^AA'BB'E^l^Y^^^^^^AB^^^^B'E^ (3^453 
z=0 

The second requirement implies that the states Lpf are all identical, so that the key bit z is secret 
from any eavesdropper. All possible purifications of a state are related by unitaries on the purifying 
system, meaning \'~Pz)^^ ^ — yA'B' ly?,,)^ ^ ^ for some unitaries 1^. Using these to define the twisting 
operator and letting E,^'^' — ^>q^ completes the proof. □ 
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Thus, private states are "twisted" versions of entangled states in which the A'B' system is trans- 
formed in some way conditioned on the value of the key. Since the function of the A'B' system is to 
block correlations of the key with E, it is called the shield. Here we have defined the twisting oper- 
ator as conditioning on Alice's key system A, but since her key is always equal to Bob's, the twisting 
operator can just as well be conditioned on B. Private states are conceptually distinct from entan- 
gled states because the distributed nature of the A'B' system prevents Alice and Bob from undoing 
the twisting operator on a general private state. Indeed, there exist private states from which no 
entanglement can be locally extracted [82] . 

As with entanglement, we are more interested in characterizations of approximate secret keys, 
since perfection will be impossible to achieve in practice. The following lemma shows that the 
above definition of secret keys can be extended to a sensible approximate version. Here we de- 
note by ijjZ^z'^E ^YiQ state tp^^^ after measurement of the observables and Z^, and we say that 
an approximate secret key is e-good when its trace distance to a perfect key is less than e. 



Lemma 3. If p. 

secret key. 



{Z^\Z^\. > 1 - ei and Psecme{Z^\E)ii, > 1 - ^2, then ip^^^''^ is an [ei + €2)-good 



guess 



Proof. Start with pguess(^'^|2'^)^ > 1 - ei. By the triangle inequality we have 



z,z'/z 

<ei. (3.48) 



But the state Xz,z' Pzz'P^ ® ® V'f^/ can be thought of as U^^^^ (X^,^' Pzz'P^ ® P^ ® y^f^,) U, 
From the second condition it follows, for ip^ = Xzz' '^zz" ^^^^ 



CNOT- 



I" 



zz'P^^Pq^^ 



E 

zz' 



<ei, 



(3.49) 



since the presence of Pg^ doesn't change the trace distance. Using unitary invariance of the trace 
distance and the triangle inequality once more completes the proof. □ 



To give an approximate characterization of private states based on knowledge of complemen- 
tary information, we merely need to show that a converse of Corollaries 2 and 3 holds, namely that 
if Bob can accurately guess the amplitude of Alice's system, then the phase is unpredictable using 
the purification E. We formalize this in the following lemma, which is Theorem 4.1 of [Renll]. 

Lemma 4. If there exists a measurement such that pgaess[Z^\^i)ip > 1-62 for pure state \xp)^^^ , 

then PsecuieiX'^lEy, > 1 - ^26. 

Proof. Following the proof of Theorem 1, we know that {ipzl U^/^J^^^ \xp)^^^ > 1 — e. Using the form 
of \ipz)^'^^^^ in Equation (3.37), it follows that E is completely decoupled from the phase measure- 
ment of ^, i.e. the post-measurement state is ^l"* ® \p^. Since u'^^^^ does not involve A or E, the 
post-measurement state of AE is the same for lip)^^^ as for u't"^^^ IV)"*^^. Converting fidelity to 



trace distance, we find that 



< A/2e. 



□ 
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Figure 3.3: The quantum circuit implementing the (un)twisting operator on the state ij^^^'^^' , when 
Bob can approximately predict Alice's key (amplitude) measurement of system A and there exists a 
measurement approximately predicting her phase measurement. It proceeds in three steps. 

First, Bob coherently copies his key (amplitude) to an auxiliary system Cz using a controUed-NOT 
gate (unitary [/cnot)- Next, he coherently performs the measurement allowing him to predict X, 
storing the result in auxiliary system Cx (unitary U j^ ^ ). Finally, to recover a maximally entan- 
gled state in system B, he applies another controlled-NOT gate, with control B and target Cx (unitary 
t^raor)- Observe that the overall action is a controlled operation with Bob's key as the control and 
the shield and auxiliary systems the target, i.e. a twisting operator. 



With this lemma the following theorem, first shown in [RB08], is immediate. 

Theorem 6. Suppose pguessiZ^\Z^)ip > 1 — ei and there exists a measurement M^^^' for which 
PguessiX^\-^x'^^')4: > 1 - £2- Then ipz^z^E fg _|_ ^262) -good secret key. 

It is also interesting to see how the untwisting operator can be directly constructed using the 
measurement Ji^^^' . First write the initial state as = ^/plj'\z)^ W)^ Wz.z')^'^'^ 

consider the action of a cnot operation from B to an ancilla system Cz prepared in the state 10)*"^. 
This copies the value of z' and gives 

= Z ^1^)^ \^'f' \^')' . (3.50) 

z,z' 

From the first condition it follows that {ipz\ Uc^Si \xp}^'^^''^ > 1 - ei, where 

^^^fCzA'BB'E ^ Y,^,\,f i^^C. \^^^^,fB'B (3513 

z,z' 

Now make the replacement A'BB' B in this state and apply the latter half of the proof of Theo- 
rem 1, from which it follows that 

ACz^^l CxA'BB'E^^Ij^ jjCzCx yA' BB'^CxA' BB' ^s^ACzA' bb' e > 1 _ g^. (3.52) 

The fidelity is unchanged by inserting the identity operator in the form L/swap U^wa/ > yielding 

^^($1 CxA'CzB'E^^^ ^BCx^yA'CzB'-.CxA'CzB'jjB^Cz\^^^^ > 1 - 62- (3.53) 
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Since C/swap[/™ot \ip)'^''^^''^ = [/™ot I?/')^^'^^'^, the same method applied to the first fidelity condi- 
tion gives 

i^z\ Ul^g- t/,^,'o^, 1^)^'^^'^ > 1 - ei. (3.54) 

Lemma 1 now implies that the operator Ucmi^^''^^^'^'^^^''^^^' ^cnSr produces a high-fidelity entan- 
gled state in systems AB. But owing to its form, this is a twisting operator, as depicted in Figure 3.3. 
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Having concretely developed the relationship between quantum information in the form of en- 
tanglement and classical information about complementary amplitude and phase observables in 
Chapter 3, we may now apply it to the problem of constructing various quantum information pro- 
cessing protocols and understanding why they work. Being able to do so is the second stated goal 
of this thesis, and will be the subject of this and the remaining chapters. This chapter considers 
the particular tasks of entanglement distillation, quantum state merging, and secret key distillation 
in three respective sections. The complementarity approach to the first and last was developed in 
detail in [RB08] , while state merging was treated from this approach in [BR09] . 

Entanglement distillation is one of the fundamental protocols in quantum information process- 
ing and can be used as a building block in a variety of other protocols. In particular, one-way proto- 
cols for entanglement distillation can be repurposed for use in reliable communication of quantum 
information over noisy channels. This allows us to apply our results to that problem and show that 
the quantum capacity of a channel can be achieved when the sender uses CSS codes. Meanwhile, 
the secret key distillation results imply that the capacity of a quantum channel to send classical 
information privately can likewise be achieved when the sender uses CSS codes. 

4. 1 Optimal Entanglement Distillation 

We begin by returning to the problem of entanglement distillation, introduced in Section 2.3. In this 
setting, Alice and Bob share a supply of identical, somewhat-entangled bipartite resource states 
which they would like to use to create EPR pairs. An entanglement distillation protocol is a se- 
quence of local operations they should perform on their respective systems, supplemented by clas- 
sical communication to coordinate their actions and exchange information. The protocol produces 
approximate EPR pairs at a given rate r, converting n resource states to nr pairs. For instance, the 
rate of the protocol described in Chapter 2 using the Shor 9-qubit code is given by the rate of the 
error-correcting code, namely 1/9, since the output was taken from the encoded subspace of the 
code. The asymptotically optimal rate is the largest r one can find among protocols for n — > oo such 
that the approximation parameter vanishes in this limit. 

As we saw in Chapter 3, Alice and Bob implicitly share an entangled state if Alice's amplitude 
and phase measurements are predictable by Bob. But a generic bipartite state does not share this 
property; at best Bob has only partial information about either observable. Heuristically, one way 
to manufacture entangled states would therefore be to increase Bob's information about these mea- 
surements somehow. And since such information is classical, we may be able to arrange for Alice to 
send it over the classical communication channel. In the following we shall develop this heuristic 
notion into a concrete protocol. To do so we must first overcome two immediate hurdles. First, 
what sort of information can she send which will be sufficient for this purpose? And second, how 
do we make sure Alice does not violate the uncertainty principle when sending information about 
complementary observables? We take up these two questions in turn. 

4.1.1 Information Reconciliation 

If we consider either observable alone, the present task is a more general version of the information 
reconciliation task mentioned in conjunction with QKD in Section 2.4. If we only care about, say, 
amplitude, then we can imagine Alice measures the amplitude of all of her systems, and these out- 
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comes are described as a classical random variable. Formally, we can describe the state of all their 
systems after the measurement by 

xSjZ^B^Y, Pz Iz) ^^^=Y,Pz^ Tr^ [i^(V^^f "] (4.1) 

z z 

using the state \il>)^^'^ = Pz \z}^\(pz}^'^ and defining p^ = pz^--- p^^ and ¥?z = (/'zi ® • • • ® ^z„ ■ We 
use boldface to denote sequences or strings of indices. For each sequence of outcomes Bob is left 
with the quantum state ip^, but generally there is no measurement which will indicate which one 
he has with any accuracy. 

However, if Alice gives him some extra information about her outcome z, then the set of states 
he is attempting to distinguish between gets smaller, and the task gets easier. For instance, if Alice 
simply tells him that the sum of the first two outcomes (thought of as binary outcomes) is modulo 
2, then he excludes from consideration all the ip^ for which this is not true and attempts to distin- 
guish between the remaining states with a new measurement. Of course, she could just send Bob 
her entire measurement record z, but the goal of information reconciliation is for Alice to transmit 
as few bits as necessary to enable Bob to reconstruct z with high probability. 

It turns out that in the asymptotic limit n ^ oo, Alice only needs to send information at rate 
H{Z'^\B)^p . This expression accords with the interpretation of conditional entropy as the uncertainty 
about Z-^ given B: Bob is missing this much information about Z"* and in the protocol Alice simply 
provides it. Importantly, the information in question can be generated by the technique of universal 
hashing and Alice does not need to know anything about Bob's system except the value of H{Z^ 1 . 
In universal hashing, Alice randomly picks a so-called hash function / from a universal family of 
hash functions and sends Bob a description of / along with the output /(z). 

First defined by Carter and Wegman [83, 84] , universal hashing is meant to mimic certain behav- 
ior of random functions: A family of functions is universal when the probability that two different 
inputs to a randomly-chosen family member have the same output is the same as if the function had 
been chosen at random from all possible functions. This latter probability is simply the inverse of 
the number of possible function outputs, so formally we say a set ^ of functions / : {0, 1}" — > {0, 1}™ 
is universal when 

Pr/[/(x)-/(y)] <^ Vx,ye{0,l}". (4.2) 

Above we illustrated the information Alice might send to Bob by a linear function, and in fact the 
set of all linear functions forms a universal family [83, 84]. We shall make extensive use of linear 
functions for hashing in the next section. 

As shown in [RB08] , when the size of the hash is roughly nH{Z^ \ B)xp bits. Bob can reliably predict 
Z^. More concretely, for each hash value z = /(z) there exists a measurement ^J!^ with elements 

such that the guessing probability averaged over z is nearly one, 'Y^zP-i^^^^z-z.^z^ ^ 1- The proof, 
following ideas from Holevo [85] and Schumacher and Westmoreland [86] in the study of transmis- 
sion of classical information over quantum channels, explicitly constructs as a variant of the 
pretty-good measurement first used by Holevo for pure states [87] and later extended to mixed states 
(and so-named) by Hausladen and Wootters [88] . Essentially, Bob's measurement is given by 

Az;z^Pz</'z^''^'/'z^/'2^^^ ¥'2^ X ^^-^^ 

z:/(z)=z 

with some small modifications. We can simplify the formalism somewhat by imagining that Bob 
stores the hash value in an auxiliary system B' and uses the measurement with elements 

rf = A^z®^/' forwhich Pguess(Z^|^|^')^ 1. 
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In the case Bob holds classical information, i.e. the states (/?z are all simultaneously diagonaliz- 
able, information reconciliation is closely related to the famous Slepian-Wolf problem of coding of 
correlated sources [89]. The case of Bob having quantum information was studied and solved in the 
present i.i.d. scenario by Winter [90] and Devetak and Winter [9 1 ] using random coding techniques. 
In Section 5.1.4 we very briefly describe how the result can be generalized to the case of arbitrary 
resources. 

4. 1 .2 Reconciling Complementary Information 

Having seen that the output of a suitably- sized random hash function enables Bob to reconstruct 
the outcome of Alice's amplitude or phase measurement, we now turn to the problem of how Al- 
ice can generate both pieces of information without violating the uncertainty principle. Calling the 
hash function used for the amplitude measurement / and the phase measurement g, Bob sepa- 
rately requires both /(z) and g(x) so that he can predict the amplitude outcome z and the phase 
outcome x. Naively, it seems impossible to generate both /(z) and g(x), since this would apparently 
require Alice to measure both the amplitude and phase of her systems. 

Crucially, however, the input x (z) is not required to fix the output g(x) (/(z)). Instead, Alice 
need only measure appropriate observables which generate the output directly, and the necessary 
observables for f{z) and g(x) can commute. Such a structure is in fact provided by CSS codes. Recall 
again the very simple example above, in which Alice transmitted the output of the linear function 
Zi®Z2 to Bob. As we saw in Section 2.2.1, this can equally-well be thought of as the outcome of mea- 
suring the operator Z1Z2, since its eigenvalues are (-1)^1*^2. But every linear function is a sequence 
of one-bit functions, each of which is just a sum of particular amplitude outcomes z^, so to each 
linear function corresponds a sequence of products of amplitude operators. In other words, every 
linear function of the amplitude measurement outcome is associated with a collection of Z-type 
stabilizers, and similarly for X-type stabilizers and functions of the phase measurement outcomes. 

If the two functions / and g are chosen so that the corresponding Z- and X-type stabilizers 
commute, together they define a CSS code, and Alice can then generate both /(z) and g(x) by mea- 
suring the stabilizers of the code. The commutation condition on the stabilizers can be succinctly 
expressed in the following way. For an n-qubit stabilizer, the corresponding linear function can be 
specified by the n -dimensional binary F2 vector with entries 1 at position kiiz^ appears in the sum, 
and zero otherwise. For instance, in the 9-qubit Shor code, the stabilizer Z1Z2 corresponds to the 
vector (1, 1, 0, 0, 0, 0, 0, 0, 0) while the stabilizer X1X2X3X7X8X9 corresponds to (1, 1, 1, 0, 0, 0, 1, 1, 1). In 
this representation, two stabilizers commute if the corresponding vectors are orthogonal over F2. 

The only requirement on the functions / and g is that they come from universal families ^ and 
^ of hash functions, respectively. Suppose nz and nx are the required number of amplitude and 
phase type stabilizers, respectively, as determined by the rate requirements of the respective infor- 
mation reconciliation tasks. Then it is easy to show that one simple universal family encompassing 
both hash functions is the set of (n^ -I- nx) x n matrices over F2 consisting of pairwise orthogonal 
rows. The first nz rows give the Z-type stabilizers and the remaining nx rows the X-type stabilizers. 

Given these stabilizers, it is convenient to think of the code as partitioning Alice's qubits in sys- 
tem A into three different sets of virtual qubits, the encoded qubits in subsystem A, the nz qubits 
whose amplitude measurement gives /(z) mA, and the nx qubits whose phase measurement gives 
g(x) in A. Then by the properties of the stabilizer operators, z — f{z) and x = g(x), where z denotes 
a particular sequence of amplitude measurement outcomes for system A. 

Now we have all the pieces needed to construct an entanglement distillation protocol. Starting 
from n copies of the resource state, Alice will measure nz Z-type stabilizers and nx X-type stabi- 
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lizers and communicate the resulting syndromes to Bob. Tiien, for large enough n, he will be able 
to predict Alice's measurement of encoded amplitude and phase operators using the appropriate 
pretty-good measurements, and thus create an approximate EPR state following Theorem 1. 
Formally, they begin with the state 

z 

= Y.^fp'.\^'^\^^W)^W.)'''' • (4.5) 

z,z,z 

where in the second line we use the decomposition of Alice's system into the three sets of virtual 
qubits and consider z to be a function of (z, z, z). The number nz is chosen so that p^Mess[Z^\^i^')ip ^ 
1, where again B' is the system in which Bob stores z. Since z is a (linear) function of z, this implies 
that Pgaess{Z\^i^^ ) 1. As much is true for the phase in that given the value of x stored in B", 
there exists a measurement for which Pguess(^l-^/^ )ip Therefore Bob can recover ap- 

proximate EPR pairs by performing these measurements coherently, as shown in Theorem 1. In this 
way they can distill n — nx — nz approximate EPR pairs, provided this quantity is positive. Note 
that here we have only utilized communication from Alice to Bob, making this a one-way protocol. 
Using back and forth communication Alice and Bob could in principle increase the distillation rate, 
as pointed out by Bennett et al. [53] for protocols where both parties use quantum error correction, 
as described in Section 2.3. 

4. 1 .3 Constructing an Optimal Protocol 

The final question is how small uz and nx can be made, and here there arises an additional subtlety. 
From the above discussion, we would expect that Uz ^ nH{Z^\B)^ and nx ^ nH{X-^\B)^,. However, 
Alice and Bob can do better. Initially, the purification of their shared state is 

z 

After receiving the amplitude information. Bob has full information about z, which he could store 
in system Cz- Then, for the purposes of predicting Alice's hypothetical phase measurement, it is as 
if they originally shared (a close approximation to) the following state, 

|^^^^CzB£^^y^|^^^|^^Cz|^^^Bi?^ (4.7) 
z 

and this may simplify Bob's phase-prediction task in general. 

One might worry that Alice's phase measurement is no longer possible even hypothetically due 
to the amplitude stabilizer measurement. However, Bob can still use the conditional marginal states 
for ^\d^f''''^ = 7F Sz yP^(-l)"^ \'^f' IV'z)'''' = -^{Z-fz \<i,fzBE build the unitary op- 
erator Uj{^ . This gives him what would have been the phase measurement outcome, and therefore 
the outcome of the encoded phase measurement. The existence of the former has indeed been 
destroyed by the amplitude stabilizer measurement, but the latter has not. 

A concrete example in which amplitude information is relevant to phase is provided by the fol- 
lowing. Suppose the state Alice and Bob share is a maximally-entangled state afflicted only 
with errors of the form XZ. Then amplitude Z errors are completely correlated with phase X errors. 
Thus, Bob need only know the positions of amplitude errors in order to infer the positions of phase 
errors. In other words, H{X^\BCz)xi! = 0. 
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Taking the above consideration into account, the rate of entanglement distillation becomes 
riijj) = 1 - //(Z^|B)0 - H{X^\BC)i/,^, as all the approximation parameters can be taken to arbitrarily 
small values by choosing a large enough n. It turns out that r{il>] = —H{A\B)ii,, which we can see by 
direct computation. First evaluate the latter entropy H{X^\CzB]ii,^, using the form of \tpz} derived 
in (3.37). We find 



//(X^ICZb)^,^ = H{X''CzB]^,, - H[CzB)^„ (4.8) 

- H{X%^ + H{CzB\X%^ - H{CzB)^,^ (4.9) 

- 1 - H{CzB)^, - H{CzB)^^ (4.10) 
= l-HiE)^,-HiAE)^,^ (4.11) 
= l-H{E)^p-H{Z'^E)^,. (4.12) 



The first step follows from the general relation between conditional and unconditional von Neu- 
mann entropies, while the second follows because the state of CzBE conditioned on outcome 
= X is (Z^)"^2 lipf^^'^. As these are all unitarily equivalent, each term //(CzB|X^ = x)^^ has 
the same value H{CzB)^. In the third step we have used the fact that H{Si) = HiSz) for a bipartite 
pure state on systems Si and 82- The last step follows because ip"^^ is identical to the result of mea- 
suring the amplitude of A for the initial state ip^^. Hence r{ip] = H{Z^\E]ip — H[Z^\B)ip. But since 
the BE system given the measurement outcome Z"^ = z is pure, H{B\Z^ = z)^ = H{E\Z^ = z)^,. 
Therefore H{Z^E)^, = H[Z^B}^, and r{ip) — -H{A\B)tp — H{A\E)tp. This rate is sometimes called the 
hashing bound. 

Two further modifications lead to the optimal entanglement distillation rate. First, Alice is free to 
first apply any quantum operation to her system before the protocol begins, and this increases 
the rate to 

Di{iP) = max[-H{A\B)^^). (4.13) 

Second, the rate can be further improved by regularization. Although we have described the proto- 
col above for system A a qubit, it works almost precisely the same for any dimension d which is a 
prime power.^ Given a state ijj^^, we could then imagine considering = [ipAB^<g>m i^g ^j^g f^j-^. 
damental input to the protocol, and Alice and Bob starting with n copies thereof. The difference is 
that now Alice and Bob can ignore the product structure of which leads to the possibly- higher 
rate 

□(?/')= lim iDi(«/)®"). (4.14) 
Devetak and Winter show this rate, the distillable entanglement, is in fact optimal in [92]. 

4.1.4 Quantum Noisy Channel Coding 

With a small modification, this entanglement distillation protocol can be used for reliable trans- 
mission of quantum information over a noisy channel Jt^. As mentioned in the discussion of ap- 
proximate error-correction in Section 3.1, we can always mimic the quantum communication task 
by sending half of an EPR pair through the channel and measuring the half remaining with Alice in 

^The restriction to prime powers comes from tlie structure of tlie stabilizer operators. Tliese require tlie vector- 
representation described in Section 4.1.2 which only exists when the symbols come from a finite field. 
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the appropriate basis. Thus, by deferring the measurement indefinitely, we only need to consider 
reliably transmitting halves of EPR states. 

Now consider the entanglement distillation protocol applied to ijj^^ = [id^ ® for an 

arbitrary pure state \6}^^. The protocol is constructed so that, averaged over all values that the 
syndromes could take on, the distilled state closely approximates the ideal of n r EPR pairs. Pick the 
syndrome with the best approximation parameter, which is surely better than the average. Since 
in the communication scenario Alice can choose the input, she can always do so in a way which 
ensures her stabilizer measurement yields precisely this syndrome. Therefore, Alice and Bob could 
agree on the syndrome value in advance. 

But this defines an encoder and decoder in an error-correction scheme! Alice directly creates 
the bipartite state resulting from measuring the code stabilizers on many instances of 6^^ and ob- 
taining the specified syndrome. She then sends Bob's halves through the channel, and he is able to 
decode the result by applying the entanglement distillation procedure. Since entanglement can be 
faithfully transmitted, so could any particular single-system state. 

Applied to single inputs, this implies that reliable quantum communication must be possible 
over the channel at rate (here we dispense with the operation 

Qii^) = max [-H{A\B)^). (4.15) 

Despite its nonstandard appearance, this is equal to a maximization over the coherent information 
Ic introduced by Schumacher and Nielsen [93] and more frequently used in this context. To see this, 
write 10)"*^ = ^/pk\k}^ Wk)^ for some probabilities pk and normalized states |i9fc)^- The action 
of the channel on B can be thought of as an isometry C/^""^^ and | j/))^^^ ^ /p^ | k}^ t/j^""^^ Wk)" 
is the output. Computing the conditional entropy H{A\B)ii, we find 

Qi(^) = max [h{B)^: - H{Ry,) (4.16) 
= max [Hi^i-d)) - H[J^* (#))) (4.17) 

= maxIM,jV), (4.18) 

a 

where ^ — "Y^kP^^k channel complementary to jV obtained by applying f/^r*^^ and 

keeping R instead of B. In the first line H{AB)ip = H{R)xp since ip is pure, and maximization over 6 
is equivalent to maximization over # in the second line. 

Regularization could improve the result, and we have therefore we have constructed a noisy- 
channel coding scheme which achieves a rate Q(^), where 

Q(^)- lim -QiC^®"). (4.19) 

In fact, this is the ultimate capacity of the channel. In a sequence of papers [64, 93, 94, 95], Barnum, 
Knill, Nielsen, and Schumacher established Q as an upper bound on the capacity, while Lloyd [96] , 
Shor [97], and Devetak [98] used random-coding arguments to show that Q can be attained. 

Here we have shown that CSS codes can achieve the capacity, since the resulting code inher- 
its this structure from Alice's use of CSS-type stabilizers in the entanglement distillation protocol. 
Previously, CSS codes were only known to achieve a lower rate, as implicitly shown by Shor and 
PreskiU [57] and explicitly by Hamada [99] . The more-general stabilizer codes were shown to achieve 
the capacity by Hayden et al. [70] . 
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Devetak's coding sclieme has some CSS-like properties in that it essentially consists of an ampli- 
tude error-correction step followed by a privacy amplification step. From the discussion of the pre- 
vious chapter, particularly Lemma 4 but with amplitude and phase trading places, we are tempted 
to view the latter step as error correction of a phase observable, and indeed we shall examine this 
in more detail in Section 5.2.1, but the amplitude and phase observables implicitly used in [98] are 
functions of the coding scheme itself and not identical to the (code-independent) amplitude and 
phase as we have used here. 

One appealing aspect of the use of CSS structure is the possibility of constructing efficiently 
encodable and decodable codes which approach or even achieve the capacity. For classical com- 
munication over classical channels, Forney exhibited such a construction by concatenating random 
codes with structured codes known as polynomial or Reed-Solomon codes [100]. Hamada has ex- 
tended this to the quantum case in a sequence of papers [101, 102, 103], but only up to the subop- 
timal rate mentioned above. It would be interesting to see if the methods presented here can be 
combined with those of Hamada to reach the capacity efficiently. 



4.2 Optimal State IVIerging 

Since the unitary Bob eventually uses to distill the entangled states also transfers the state of Alice's 
system A to his laboratory, the above protocol can be used for state merging, a process first studied 
by Horodecki etal. [66]. Here the goal is to merge Alice's part ip^^ of the joint state ip^^ with Bob's 
so that he ends up with tp^^, using as little quantum or classical communication as possible. Addi- 
tionally, if we consider the purification lip)"^^^, all correlations with the purifying system R should 
be transferred to Bob as well. Not only should Bob end up with a good approximation to i/)^^, but 
together with R the final state should closely approximate \ip)^^^. 

When tp^^ is itself pure, state merging reduces to quantum data compression. Since Bob has no 
initial information about Alice's state, whatever she sends must be sufficient to reconstruct her state 
and can be regarded as the compressed version of it. Schumacher has shown that a state ip^ can be 
compressed at rate no greater than H{A) [15], meaning Alice and Bob will need to use a quantum 
channel at this rate. 

However, when Bob's system is correlated with Alice's, they can take advantage of these corre- 
lations to reduce the amount of communication needed. Indeed, if Alice and Bob share the EPR 
state 1$)"*^, then no communication is required at all! This follows because a maximally-entangled 
state is not correlated with any third system, and so Bob can simply recreate the state at his end. For 
example, applying Theorem 1 to the input state 1$)"*^ yields output 1$)"^^ |$)^^ upon application of 
the partial isometry [/b-'BCd 

Moreover, sometimes sending only classical information is sufficient for transferring a quantum 
state. This is precisely the case when using the entanglement distillation protocol, which works for 
all tp"^^ such that H[A\B] < 0. That classical communication is sometimes sufficient is somewhat 
surprising, but with entanglement Alice could teleport her system to Bob using only classical infor- 
mation, and this is effectively what happens as a byproduct of the entanglement distillation pro- 
tocol. By expressly using teleportation, we can also apply the distillation protocol to cases when 
H{A\B] > 0, as described in [66]. For n resource states ip^^ Alice and Bob can create nH{A\B)^p EPR 
pairs to go with their n resource states, and the overall conditional entropy of the entire collection 
of systems is now roughly zero. Running the entanglement distillation protocol produces no new 
EPR pairs, but does transfer Alice's part of the resource state to Bob. 
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Horodecki et al. have shown that state merging requires quantum communication at the rate 
H[A\B)fi, when this quantity is positive, but only classical communication at rate /(A : E)^ when 
H{A\B)ij, is negative [66, 67]. Using the entanglement distillation procedure above is therefore opti- 
mal in the first setting but not always in the second, as the rate of classical communication needed 
is {nz + nx)ln = 1 - H{A\E)^ > I{A : 

However, we can make a small alteration to the protocol to make it optimal, as shown in [BR09] . 
Observe that when H{A)^ = 1, the procedure is in fact optimal. This suggests that we ought to first 
compress system A and then perform entanglement distillation. The difficulty in making this work 
is to ensure that the compression step does not interfere with the amplitude and phase information 
reconciliation steps. Since compression of quantum systems can be thought of as essentially just 
classical compression in the eigenbasis, it simplifies matters to choose the amplitude basis to be the 
eigenbasis of Alice's state ip"^. 

Formally, the tripartite system ABE starts in the pure state given in Equation (4.6). The com- 
pressor projects the system onto a subspace spanned by a set of eigenvectors |z) whose total prob- 
ability is nearly equal to one, a so-called typical set. Even though the typical set contains almost 
all of the probability, it only contains roughly 2"^^^^ of the 2" total eigenvectors. Thus, with prob- 
ability nearly one the projection operation succeeds and the subspace needed to support the state 
drastically shrinks. Rarely, the projection operation fails, and the state must be written off as a total 
loss. 

When the compressor succeeds, the state can be expressed as 

zeTyp 

where Typ is the typical set and ^ is the required normalization factor. On the typical subspace 
we can order the basis elements lexicographically and define a new amplitude observable Z' as in 
Equation (3.25), as well as the phase observable corresponding to the shift operator of said basis. 
After the compression step, the idea is for Alice and Bob to run the entanglement distillation pro- 
cedure for the new observables Z' and X'. However, the distribution of measurement results for 
these two operators is no longer i.i.d., and thus the results of information reconciliation we used 
previously no longer apply. We have no direct way of knowing how many stabilizers Alice should 
measure, nor how Bob should construct his measurement. 

This poses no serious problem for the new amplitude observable, since it is essentially the same 
as the old one, just missing the non-typical values. Indeed, the information reconciliation protocol 
also makes use of typicality in that Bob's measurement does not bother to look for non-typical z in 
the first place. Thus, explicitly rejecting these possibilities in the compression step will only serve 
to reduce the error probability for information reconciliation of Z'. Alice can perform precisely the 
same Z-type stabilizer measurements as before, and Bob's original measurement will accurately 
reconstruct Z and therefore Z'. 

However, this sort of argument does not work for the new phase observable X'. Since X and X' 
are not so simply related, Bob's knowledge of X generally does not pertain at all to his knowledge 
of X'. Luckily, the extra system Cz which was used to achieve the optimal entanglement distillation 
rate comes the rescue. In the entanglement distillation protocol it gave Bob's marginal states con- 
ditioned on Alice's phase measurement a group -covariant structure, and it does so in the present 
scheme as well. In turn, this makes it possible to transform the information reconciliation protocol 
in the original i.i.d. setting to one appropriate for the new non-i.i.d. setting. 
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After the amplitude information reconciliation step, phase information reconciliation proceeds 
as if Alice and Bob shared the state 

zeTyp 

The group covariance arises just as before, due to the "copy" of z in system Cz- The required num- 
ber of X'-stabilizer outcomes must be computed in the construction of the reconciliation protocol, 
and it turns out to be nx' — H{A)^,^ + H{CzB\X^)xp;^ — H{CzB)^,^. Following the calculation in the 
previous section, this is just nx' = H{A)ij, — H{Z^\E]ii,. For the first term we have used the fact that 
H{A]ii,^ = H{Z^)ip = H{A)ip since the amplitude basis is the eigenbasis. The communication cost of 
the protocol is now + = H{A\, + H[Z^\B\, - H{Z^\E\, = I{A : E)^. 

Since they are working in the typical subspace, Alice and Bob can expect to extract roughly 
nlog|Typ| — nz— entangled pairs, where |Typ| 2"^^^^ is the size of the typical set. This works out 
to an entanglement distillation rate of H{A)ij, — I{A : E)^, = — just as before. Therefore, by 
adding a compression step and choosing the amplitude basis to be the eigenbasis of Alice's system, 
we have managed to convert the optimal entanglement distillation protocol into an optimal state 
merging protocol. 

4.3 Secret Key Distillation and Private Communication 

Section 3.4 detailed the close connection between private and entangled states, and in this section 
we show that the same methods used in Section 4.1 to construct entanglement distillation protocols 
can be used to construct protocols for creating a shared secret key from a supply of bipartite quan- 
tum states. Due to the CSS nature of this approach, we really only need to construct a private state 
distillation scheme, and it will work for secret key distillation as well. As explained in Section 2.4, 
Alice and Bob ultimately only need to ensure that the information about Alice's hypothetical phase 
measurement is somewhere to be found in the systems under their control. 

The private state distillation protocol works almost exactly as the entanglement distillation pro- 
tocol. Given n copies of the resource state ip^^, Alice is free to decide how to define the prospective 
key and first performs a quantum operation which maps her system A into two systems 

AA'. The first is used as the key and the second as a shield. This operation may additionally in- 
volve a measurement whose outcome T is publicly transmitted to Bob, and the resulting state is 

In the second step Alice measures enough amplitude and phase stabilizers on A so that the 
amplitude Z^ can be reconstructed from system B and the phase X"* from the compound system 
A'B. The number of stabilizers needed is set by the requirements for information reconciliation of 
each task separately, and again the amplitude information may be useful in recovering the phase 
information. Therefore the number of stabilizers needed amounts to nz nH{Z^\BT)ip^ and nx 
nH{X^\CzA' BT)^, ^ 2, where ^^^^ ^ is the state defined by coherently copying the amplitude in A 
to system Cz- Alice may choose the optimal operation ^, yielding the distUlation rate 

KiitP) = m^ax(l - H{Z^\BT]^p^ - H{X^\CzA' BB'T\,^^) (4.22) 
= max[H{Z^\RT)^^ - H{Z^\BT]^i,^) , (4.23) 

where the second line follows by the same calculations which led to Equation (4.12). 
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Alice need only transmit the amplitude syndromes to Bob since they use the encoded amplitude 
Z as the final key. The phase syndromes need not be transmitted, since according to Theorem 6 the 
mere existence of a phase-predicting measurement m'^^^ ensures the secrecy of the key. This 
means the protocol can be immediately converted into a secret-key distillation scheme in which 
Alice and Bob make their amplitude measurements first, Alice then transmits the amplitude syn- 
dromes, and finally Alice and Bob compute the final key from the encoded amplitude operator Z. 
From the outside, they cowZfi have actually run the private state distillation protocol, phase stabilizer 
measurement and all, and so the secret key distillation protocol inherits security from the private 
state distillation protocol. 

Regularization can again in principle increase the rate further, and the resulting rate is identi- 
cal to the upper bound found by Devetak and Winter [92]. Thus we have constructed a secret key 
distillation protocol which achieves the optimal rate 

K(j/>)- lim -KiCV®"). (4.24) 

Given a shared, secret key Alice can transmit secret messages to Bob over a public communica- 
tion channel simply by encrypting the message with the key. For absolute security, Shannon showed 
that one requires a key exactly as long as the message [54], and the message may be encrypted by 
simply computing the exclusive-OR of the key, a scheme knovm as a one-time pad or Vernam cipher 
after its inventor [104]. 

Therefore Alice and Bob may use the secret key distillation scheme above for private commu- 
nication over public channels. As Alice can choose the input to the channel, she may simply select 
that input which gives the output with the largest distillable key. Then they proceed with secret key 
distillation and the one-time pad. This gives a private communication rate of at least Pi(^) using 
Ki above, at least when assisted with public communication. This quantity is sometimes referred to 
as the private information and we shall encounter it again in Section 6.3. Once more, regularization 
may improve the rate, and the resulting expression P{jY) was shown to be an upper bound in [98]. 
The the protocol for private communication constructed in this way achieves the capacity. Here we 
have not attempted to remove the public communication from Alice to Bob as we did in the case of 
quantum communication, but it is also shown in [98] that the private capacity can be achieved even 
without such assistance. 
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In Chapter 4 we saw that reconciling Bob's quantum information in system B with Alice's amplitude 
observable requires her to send Bob extra information about at rate H[Z^ \ B)^, . This quantity 
trades off with //(X^jf)^, in the uncertainty principle Equation (1.7), H{Z^\B\, + H{X^\E),i, > 1. 
As it happens, //(X^jf)^, is also the rate at which Alice can perform privacy amplification of X^, 
extracting uniformly- distributed bits from which are completely uncorrelated with E. Thus, the 
less information Alice has to send to Bob about Z^, the more randomness she can extract from X^ 
unknown to E. There exists a duality between these two protocols due to the uncertainty principle. 
The fact that the rates of the two protocols are connected invites us to think that the protocols 
themselves may be connected as well — that it may be able to transform one protocol into the other. 

Here we show that this is indeed the case, recounting results from [Renll, RRll] and presenting 
some new material. This chapter is divided into four main sections. In the first, we recount how in- 
formation reconciliation and privacy amplification protocols based on linear hash functions can be 
transformed into each other, following [Renll]. The duality extends to non-i.i.d. resources where 
the notion of asymptotic rates is no longer valid, and we remark that this implies a more general 
form of the uncertainty principle in terms of generalized entropies suitable for such unstructured 
resources. In the second section, we explore the implications of this duality for constructing entan- 
glement distillation protocols, and by extension, the other related protocols discussed in Chapter 4. 
This material has not been previously published. The third section is devoted to the result of [RRll] 
which shows that coding schemes for communication of either public or private classical informa- 
tion over noisy channels can be constructed by combining privacy amplification and information 
reconciliation. Thus, the two dual protocols occupy a very fundamental place in the study of infor- 
mation theory, as they can be combined to generate a variety of protocols for other tasks. 

5. 1 Duality of Privacy Amplification and Information Reconciliation 

The duality of information reconciliation and privacy amplification protocols both based on linear 
universal hashing essentially comes down to complementarity, specifically the fact that amplitude 
measurements destroy phase information and vice versa. Roughly speaking, if Alice measures am- 
plitude stabilizers to perform information reconciliation of Z"^ with Bob, this can also be seen as 
randomizing the conjugate phase X^ stabilizers, as would be useful in privacy amplification. With 
Lemma 4 in mind, we expect that if information reconciliation succeeds and Bob can reliably re- 
cover the encoded amplitude Z, then the encoded phase X must be uncorrelated with system E. 
Making this work in reverse is slightly more complicated, and there are two versions, corresponding 
to Corollaries 2 and 3. 

5.1.1 Privacy Amplification 

Before delving into the duality of these protocols, we first describe the process of privacy amplifica- 
tion and the known results in more detail. Imagine that Alice has an n-bit classical random variable 
X"^ which is correlated with an external system E in some way. Letting X^ be the phase observable, 
we can describe this state of affairs as 




(5.1) 



X 
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If the #x were identical for all x, then E would have no information about the value of X^. Con- 
versely, if the #x have disjoint supports, then a measurement of E projecting onto these supports 
can determine x without error. 

First introduced by Bennett, Brassard, and Robert [105, 106], the goal of privacy amplification 
is twofold, to compute some function = f{XA) ofX^ which is both uniformly distributed and 
independent of E. Keeping only the function output /(x) means that, for a given output x, the 
state in E is averaged over all the x for which /(x) = x. The goal is then to average over enough 
values of x so that the conditional states #x — X!x /(x)=x^x^f are identical for all x. Of course, it is 

unrealistic to expect such an ideal output, so we settle for psecurel^l^") > 1 — £• When the state "^^^ 
is n instances of a state ip^^ pertaining to a single bit in A, the asymptotically- optimal rate at which 
private random bits can be extracted is defined by the largest rate achievable in the simultaneous 
limits n ^ 00, e ^ 0. 

In the case that the states i}^ are classical, i.e. simultaneously diagonalizable, Bennett etal. have 
shown that universal hashing can be used for privacy amplification [105, 106, 107]. Using random 
coding techniques in the i.i.d. setting, Devetak and Winter proved that the rate H{Z^\E)ip is achiev- 
able in the asymptotic limit for quantum [92] , whUe Renner and Konig show that universal hash- 
ing is also effective against quantum adversaries even for unstructured, non-i.i.d. resources [108]. 

One drawback of approaches based on universal hashing is the need for a large amount of ran- 
domness to select the hash function from the family, 0(n) seedbits for n input bits. Smaller function 
families would naturally be preferable. If we are unconcerned with privacy, the task reduces to ex- 
tracting the maximum amount of randomness inherent in the distribution of Z"*, and constructing 
efficient extractors has been the subject of much research in theoretical computer science (see e.g. 
Shaltiel [109] for a review). 

In particular, Trevisan's breakthrough construction showed that essentially all the randomness 
may be extracted from the input using extractors with seeds of size 0(polylog(n)) [110, 111]. Re- 
cently De etal. showed that Trevisan's construction can be extended to privacy amplification against 
quantum adversaries [112]. 

5.1.2 Privacy Amplification from Information Reconciliation 

Now we examine how an information reconciliation protocol using linear functions for universal 
hashing can be used for privacy amplification. Use of CSS codes makes this simple. Consider, as 
usual, a tripartite pure state \ ip}^^^. Instead of taking system A to be a qubit, we now assume that it 
has dimension 2" for some n. This can done without loss of generality by embedding A into a state 
space larger than the support of i/)^, and allows us to think of system A as a collection of n qubits. 

Suppose that there exists a protocol for information reconciliation of Bob's information with the 
Alice's amplitude which calls for Alice to compute a linear function of Z^ and send it to Bob. 
This computation can be thought of as measuring the stabilizers of a CSS code which contains only 
Z-type stabilizers. In terms of virtual qubits as described in Section 2.2.1, the entire collection of 
qubits can be grouped into two subsets, the encoded qubits and the stabilizer qubits. Denoting the 
amplitude values of the encoded qubits by z and those of the stabilizer qubits by z, we can express 
the initial state as (abusing notation slightly) 

z z,z 

where A [A] denotes the virtual subsystem of the encoded (stabilizer) qubits. 
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The information reconciliation protocol assures us that given the value of z, Bob can determine 
the value of z and therefore z. That is, there exists a measurement on AB which can reliably predict 
the amplitude of ^ with guessing probability greater than 1 — e for some small e. Then by Lemma 4, 
Psecme{X^\E)xi< > 1 — V2e. Therefore, to generate a random secret string from the phase observable 
X^, Alice can simply compute the encoded phase X. 

5. 1 .3 Information Reconciliation from Privacy Amplification 

Showing that a privacy amplification protocol can be repurposed for information reconciliation is 
somewhat more involved. Here we encounter the same complications as in Section 3.2: Just be- 
cause E has no knowledge of X^ does not imply that B can predict Z^. But the same technique 
used there of imposing extra conditions so that the uncertainty principle is saturated works here as 
well. There are two separate cases to consider. 

In the first of these we require pgaessiZ^\E)ij, = 1, meaning we might as well write the state as 

z 

for E = E1E2. This is somewhat more natural for the goal of amplitude information reconciliation, 
as it ensures that the AB state describes a classical variable in A and a quantum state in B: ij)^^ — 

Now suppose that there exists an encoded X such that Psecwe{^\E\, > 1 — e. Again using the 
encoded and stabilizer qubits for system A, it follows from Corollary 3 that there exists a measure- 
ment on AB which can recover Z with error probability less than ^/2e. However, Bob does not 
have access to A, and Alice must take care in what information she sends to Bob, lest it leak any 
information about the phase to E. Intuitively, however, measuring amplitude stabilizers on A de- 
stroys any phase information that might be present, so it should be safe to transmit the resulting 
syndromes to Bob. 

Indeed, the formal nature of the state shared by Alice and Bob makes this clear, since A is effec- 
tively already measured. Tracing out E, we obtain 

z,z 

Due to the classical structure of system A, we can assume without loss of generality that the mea- 
surement ^7 ^ has this structure, too. For let A-^ be the POVM elements of the and consider 

the joint probability of obtaining the outcome -^^^ = z' and Z = z, 

z 

Clearly the same probability results if we first determine the value of z and then use a POVM on B 
having elements U?^ = Tr[i^A^^]. But this is precisely how we expected the information reconcili- 
ation process to work: after learning Z, Bob can measure B and recover Z. 

In the second case we require PguessiX^\B)ii, = 1, so that Bob already has information about 
the phase. Should he also learn the amplitude, Alice and Bob would have created an entangled 
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state, so this scenario is essentially the latter half of an entanglement distillation scheme. In fact, 
the protocol of Devetak and Winter in [92] is constructed along these lines. Just as in the previous 
scenario, if a privacy amplification protocol can construct an encoded phase X uncorrelated with 
E, then the conjugate encoded amplitude Z must be reliably recoverable by measurement on AB, 
though now the implication follows from Corollary 2. However, we cannot use the same argument 
to show that measurement of the amplitude of A is sufficient to enable information reconciliation 
using system B. 

Instead, we can proceed as follows. From the requirement PguessC^'^l^))/' = !> the marginal state 
of the AE subsystems takes the form ij)^^ = (ilx.P^ "S* for some probabilities and normalized 
states "ff^. Decomposing Alice's qubits into virtual encoded and stabilizer qubits, the state is, in a 
slight abuse of notation, just ip"^^ = ^-^q^^P^ (8) (8) %x. Since the A system is in a phase eigen- 
state, measuring its amplitude delivers a completely random outcome and results in precisely the 
same state as if A were traced out. But the encoded phase is chosen by the privacy amplification 
protocol so that disposing of the stabilizer qubits leaves a nearly ideal key, and the amplitude mea- 
surement of the stabilizer qubits does not change this. Thus, for every measurement result we can 
conclude by Corollary 2 that there exists a measurement on B which gives z with high probability. 

In both of these situations the desired measurement is only shown to exist, but is not directly 
constructed. However, due to a result by Barnum and Knill, this presents no real difficultly, as the 
pretty-good measurement has an error probability which is at most a factor of two worse than the 
optimal case [95]. Thus, if privacy amplification is possible so that Psecuie{X^\E)ip > I — e, then 
using the amplitude stabilizer measurement and the pretty good measurement for Bob's conditional 
marginal states results in information reconciliation protocols with error probability less than zVZe. 

5.1.4 One-Shot Protocols and a Generalized Uncertainty Principle 

In the preceding sections we have treated Alice's system as a collection of n qubits, but it is impor- 
tant to note that the duality holds for arbitrary resource states, not just i.i.d. states. The i.i.d. setting 
is only necessary to define the asymptotically-achievable rates of the various protocols. Recently, 
a new framework has been constructed which makes it possible to characterize protocols operat- 
ing on arbitrary, structureless resource states in terms of smooth entropies. A proper treatment of 
smooth entropies and their calculus is beyond the scope of this thesis, but we remark that they can 
be thought of as generalizations of Renyi entropies which are somewhat more familiar in standard 
information theory and obey many of the same chain rules as the usual Shannon or von Neumann 
entropies. Here we wish to point out that the duality above, in particular the former duality of Sec- 
tion 5.1.3, implies a new entropic uncertainty principle formulated in terms of smooth entropies. 

There are two different smooth entropies, the smooth min-entropy and the smooth max-entropy, 
and each comes in both conditional and unconditional varieties. It turns out that the number 
£^^^{X^\E)^ of e-good random bits one can extract from which are secret from E is character- 
ized by the smooth min-entropy, £1^^{X^\E\, //^j^CZ^jE)^, [108, 113, 114, 115]. More precisely, 
£l^^{X'^\E]ip equals //^jjj(Z^|£')0 up to small deviations involving the smoothing parameter e. Much 
the same holds for information reconciliation, except using the smooth max-entropy. As shown by 
the present author and Renner [116], the number of bits Alice needs to send to Bob, generated by 
universal hashing, is given by £^gj,(Z^|B)^, H^^{Z^\B)ij,. Though it might not appear so, the def- 
initions of the smooth entropies are logically distinct from the operational quantities £1^^ and £'^^^. 
It should be noted, however, that the smooth entropies are themselves related to the operational 
quantities Pguess and psecure, a fact discovered by Konig etal. [117]. 
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Now consider a quantum state of the form given in Equation (5.2). Information reconciliation of 
the amplitude requires that Alice send £^^^{Z^\B)ip bits obtained via universal hashing of to Bob. 
But this implies Alice can equally-well use the encoded phase to generate random bits uncorrelated 
with E. In all she can create n — f[:g^(Z^|5)^, random bits this way, which must of course be less than 
the bound on privacy amplification established by the smooth min-entropy. Similarly, £'^^^{Z^\B)ip 
is bounded by the smooth max-entropy so we anticipate from this heuristic argument that 

KiniX^'mi^+H^^JZ^m, > n. (5.6) 

Indeed, the full analysis performed in [Renll] shows that the above expression is correct, up to 
terms of order log(l/e). The state in Equation (5.2) is arbitrary, so this generalized uncertainty prin- 
ciple holds for conjugate observables and any tripartite quantum state. Recently, Tomamichel and 
Renner have found a simple proof which extends the above uncertainty relation to arbitrary observ- 
ables in the manner of Equation (1.7) [118]. 

5.2 Different Approaches to Entanglement Distillation 

The entanglement distillation protocol presented in Section 4. 1 was built by combining informa- 
tion reconciliation protocols for both Alice's amplitude and phase observables. By the duality of 
information reconciliation and privacy amplification, we expect to be able to trade one task for the 
other, and base the construction of the protocol on either Theorem 2 or Theorem 3 rather than 
Theorem 1. In the following we present these two alternate approaches. It should be stressed that 
ultimately the alternate approaches followed here yield the same protocol as in Section 4. 1 , but they 
have completely independent justifications. 

In the first approach, we may think of the phase information reconciliation in the original pro- 
tocol as amplitude privacy amplification, which makes the goal of entanglement distillation to si- 
multaneously give Bob full information about Alice's amplitude while ensuring that E has none. 
Formally, the goal in constructing the protocol is to fulfill the conditions of Theorem 2. Clearly this 
approach is quite closely related to secret-key distillation, which has nearly the same goals, and in- 
deed was the original approach followed by Devetak and Winter [92] for entanglement distillation 
and Devetak in establishing the quantum capacity of a quantum channel [98] . Here we construct 
an entanglement distillation protocol having the same aims but a somewhat different structure, 
namely the use of CSS codes by Alice. 

In the second approach, we can give up on Bob altogether and focus entirely on removing am- 
plitude and phase correlations from E, with the aim of fulfilling the conditions of Theorem 3. To our 
knowledge, this approach is new. It shows that the commonly used quantum decoupling method 
can be broken down into two classical decoupling steps, further reinforcing the claim that quan- 
tum information processing can be understood as a combination of classical information process- 
ing of amplitude and phase information. Figure 5.1 depicts the relationship between the three ap- 
proaches. 

5.2. 1 Amplitude Information Reconciliation & Privacy Amplification 

Although the approach based on Theorem 2 is substantially similar to that pursued in [92], we in- 
clude it here for completeness. Again we consider the case in which Alice and Bob share asymptotically- 
many copies of a resource state ip"^^ which may be purified to \ip}^^^ . We will construct the protocol 
by choosing two sets of amplitude stabilizers, first a number nz large enough to enable information 
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Figure 5.1: Breakdown of Alice's n physical qubits into three subsets of virtual qubits in subsystems 
A, A, and A and what the different subsets are used for in the various approaches to entanglement 
distillation presented here. Theorem 1 is the goal of the construction in Section 4.1.3, where A is 
used to reconcile the amplitude information with Bob and A the phase information. The construc- 
tion in Section 5.2.1 takes Theorem 2 as its goal, and A is again used for amplitude information 
reconciliation with Bob, but A is used for privacy amplification of the same amplitude information 
against the environment. Finally, Theorem 3 is the aim of construction in Section 5.2.2, where A is 
used to decouple Alice's phase information from the environment and A her amplitude information. 



reconciliation with Bob and the second nx to achieve privacy amplification against E. Thinking in 
terms of virtual qubits and their associated amplitude and phase operators, let us call the encoded 
amplitude operators Z, of which there are n — nz— nx, the Uz stabilizers associated with information 
reconciliation Z, and those ux associated with privacy amplification Z. 

To ensure that Bob can reconstruct the original amplitude, and therefore the encoded Z, Alice 
measures the Z stabilizers and sends the resulting syndromes to Bob. This could give additional 
information about Z to E, but if the Z stabilizers are numerous enough, averaging over their syn- 
dromes destroys whatever information E had about the original amplitude Z. By itself, Z is inde- 
pendent of Z, since they belong to different sets of virtual qubits, so Alice can be certain that no 
information leaks to E in this process. 

We are not ready to apply Theorem 2, however. The shared state at this step in the protocol is 



where the amplitude of A has been transferred and copied to new systems B' and E', which mimics 
the classical measurement of Z and broadcast of the result z. From information reconciliation there 
is a measurement on BB' such that Pguess(Z|^-^^') is close to one, and via the above discussion 
of privacy amplification psecure(Z|£'£'0 is likewise nearly one. To apply Theorem 2 we still need to 
discard A without changing either of these conditions. 

This situation is precisely that of the second case of the previous section, from which it follows 
that measuring the phase X will not decrease Bob's guessing probability and will also not leak any 
information about Z to E. Formally, we can see this by examining the state after the phase stabilizer 
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measurement, 

x,z,z,z 

X yP^Slz)^|z)^'(X^)^"|x)^"|z)^'|x>^'V.,^,.)^^ (5.9) 

x,z,z,z 

Because z only shows up as part of a unitary operator on B" , tracing out all of Bob's systems means 
the state in E is averaged over these values, which was precisely the goal of privacy amplification. 
Moreover, z by itself is uncorrelated with z. Thus, in transferring the phase of A to systems B" and 
E" , we have Pguess(2^l-^j^ ^ ).Psecure(-Z|£' 1- Hence we can apply Theorem 2 to infer that 
Alice and Bob can recover a high-quality entangled state from their systems. By the known results 
on information reconciliation and privacy amplification, we can pick riz nH[Z^\B)^, and rix ^ 
n - nH[Z^\E\, so that the rate achievable by this protocol is H{Z^\E)^ - H{Z^\B)^, = -H{A\B)^, 
the hashing bound. 

5.2.2 Privacy Amplification of Botli Amplitude and Phase 

The method of the previous section can serve as a stepping stone towards a protocol which is based 
entirely on decoupling both amplitude and phase from E. All we have to do is turn the amplitude 
information reconciliation into privacy amplification of phase. From the discussion prior to The- 
orem 3, we know that it will be insufficient to decouple E from X and Z, rather we must aim to 
simultaneously decouple E from Z on the one hand, and CzE from X on the other. Note that in the 
latter case the state \ ipz)'^'^^^^ is only a device used in the proof; it does not need to show up in the 
protocol directly. 

To achieve this simultaneous decoupling, we again begin by specifying two sets of stabilizers, 
nz Z-type stabilizers to decouple the amplitude and nx X-type stabilizers to decouple the phase. 
As before, Alice's n qubits can be grouped into three sets of virtual qubits, the n — nz — nx encoded 
qubits in A, nx qubits in A, and nz qubits in A. If nx and nz are chosen appropriately, we can be 
sure that both psecure(^ I Cz^ji/^z and psecure(^ I £'))/' nearly one. Therefore system^ is implicitly 
in a maximially- entangled state with the joint system AAB, and the remaining task is to classically 
transfer A A to Bob without violating the privacy conditions. 

Following the method of the previous construction, suppose Alice makes amplitude measure- 
ments on A and phase measurements on A, which she then broadcasts this information publicly. 
While E now recieves extra information about the original amplitude and phase, no information 
about the encoded amplitude and phase has been leaked for the same reason as in the previous 
construction. The marginal states in E conditioned on the encoded amplitude (phase) value are 
stiU averaged over enough z (x) values to make them essentially identical. 

Formally, the situation is very similar to the previous case as well. In fact, for the observable Z, 
the state of\ip)^^^ after the measurements described above is precisely that of Equation (5.8), and so 
we can immediately conclude that psecuie{Z\EE' E") 1. The state relevant to privacy amplification 
of the phase can be expressed as, following Equation (3.37), 

\ip^)AC,BE ^ |x)^|x)^|x)^(Z'')C^ \ipf'''\ (5.10) 

X,x3 



53 



5. Duality of Protocols 



and after the measurement it becomes 



j/.ABB'B"EE'E' 



111 



^ (-ir ix)^ ix)^" ix)^" {z^f- 1*/-) 



CzBE 



(5.11) 



z,x,x,x 



1 



^ |x)^ |z)^' |z)^' |x)^" |x)^" (Z^)^n^^)^^ m 



z,x,x,x 



(5.12) 



Now the phase (—1)"^ cancels the similar phase inherent in the operator (Z^)*^. Again this enforces 
an average over x for the states in system E, ensuring that they are completely uncorrelated with 
X and therefore x. Just as before, x does not add any additional information about x, so we can 
conclude that psecure(^|£^£'£")i/)z 1 ^rid therefore Theorem 3 is applicable. For nx and nz we can 
pick n — nH[X^\CzE)ip^ and n — nH{Z^\E)i^,, respectively, yielding an overall rate of H{X^\CzE)^,^ + 
H{Z^\E)ip — 1. This works out to be H[A\E) = —H[A\B), which is the hashing bound once again. 

5.3 Classical Channel Coding 

In Section 4.1.4 we described how a protocol for entanglement distillation using one-way commu- 
nication can be used to reliably send quantum information over a noisy channel, and that protocols 
achieving the optimal rate of entanglement distillation lead to optimal channel coding. A similar 
result holds for classical information, as demonstrated in [RRll], albeit using information recon- 
ciliation and randomness extraction or privacy amplification. This leads not only to a new proof 
of Shannon's original noisy channel coding theorem in the case the channel is classical, but also 
to one-shot results for both public and private communication of classical information over noisy 
quantum channels. Moreover, using the results of Section 5.1, we can exchange the use of infor- 
mation reconciliation with privacy amplification of a complementary observable, and thereby con- 
struct a channel coding scheme which is entirely based on decoupling-type arguments. That is, we 
can construct a means for noisy channel communication not by directly ensuring that the receiver 
can properly decode the transmissions, but rather by ensuring that complementary information 
does not leak to the environment. 

On a heuristic level, the approach itself is quite similar to that of Section 4.1.4, not just the result. 
We can make the same sort of modification to an appropriate information reconciliation protocol 
as we did to entanglement distillation in order to create a coding scheme for the channel scenario. 
Suppose that Alice can send classical messages z e {0, 1} to Bob over a quantum channel such that 
he receives the corresponding state ipz- If they are in possession of an information reconciliation 
protocol for the state ifj^^ — | \z) {z\^ S) if^, then they can use this to communicate reliably over 
the channel. In the information reconciliation scheme Alice would compute a hash function of n 
instances of the random variable Z^, and with this information /(z) Bob could determine the actual 
z from his state f^. 

In the channel scenario this can be used to specify a code by the set of all possible inputs z 
(codewords) which hash to a specified value, say z. Ordering the elements of this set in some way, 
Alice can then map her actual message to the corresponding codeword. This defines an encoder. 
Presumably they have chosen an z for which the information reconciliation decoder has a small 
probability of error, and thus Bob can use that decoder to determine z and therefore Alice's intended 
message. 

In fact, when the original inputs z are uniformly distributed as above, one can easily show that 
not only will Bob have a small average probability of decoding error, but also a low error probability 
for every message. To determine the number of messages Alice can send, it is simplest to consider 
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the case of linear hash functions, where every output has the same number of preimages, namely 
the ratio of input to output size.^ Thus, if information reconciliation requires an m-bit hash for an 
n-bit string z, the resulting code can be used to transmit n — m bits, remembering that an n-bit 
input corresponds to 2" possible input strings. As we are working in the asymptotic i.i.d. scenario, 
we can apply the result mentioned in Section 4.1.1 that information reconciliation is possible at the 
rate r = H{Z^\B)^,, so that mr^nr. Therefore Alice can reliably send messages at rate \ — H{Z^\B)yp. 

There is still room for improvement, however, as the Holevo-Schumacher- Westmoreland (HSW) 
theorem (the quantum version of Shannon's noisy channel coding theorem) assures us that rates 
up to at least the Holevo quantity / = maxp^ I{Z^:B)^ — maxp^ H{Z^)^, —H[Z^\B)^ are possible [85, 
86] ? Clearly something is missing in the above, unless it happens that the optimal distribution is 
uniform. We have restricted attention to the uniform distribution for convenience in the proof, in 
particular to easily determine the number of messages which can be send with small worst-case 
probability of error. If we only cared about average probability of error, any distribution could be 
used for the purposes of converting an information reconciliation protocol to a channel code. The 
difficulty is then to exploit this freedom without requiring a substantially new proof. 

Fortunately, there is a simple way to deal with this problem by making use of the randomness 
extractors described in Section 5.1.1, though here the privacy properties will only be relevant to 
the case of private channel communication. Alice can use the extractor in reverse as a distribution 
shaper to simulate a random variable Z with arbitrary distribution Pz using a uniformly-distributed 
random variable U. To do so, Alice chooses an extractor output u at random and then maps it to a 
possible preimage z using the conditional distribution Pz\u=u ■ This requires an additional source of 
randomness, as the extractor function is not one-to-one. 

When Z is destined to be the input to the communication channel, we can instead think of U as 
the input to the "superchannel" composed of the shaper and the original channel. This is depicted 
in Figure 5.2, taken from [RRl 1] . Note that for this step we must rely on the recently-established one- 
shot results on information reconciliation, as mentioned in Section 5.1.4, because the joint state 
shared by Alice and Bob which describes the input and output is generally not i.i.d. However, in the 
one-shot framework all the previous results linking information reconciliation to channel coding 
can be applied to the superchannel. Alice encodes messages into the outputs u of the extractor and 
then sends these first through the shaper and then through the communication channel to Bob. 
Information reconciliation of U with B enables Bob to recover the original message. 

Using the smooth entropy results on structureless resources we can determine the (logarithm of 
the) raw number of messages Alice can reliably send to Bob, instead of the rate as appropriate to the 
i.i.d. setting. The details of the derivation are given in [RRll], and the result is that Alice can reliably 
transmit N bits to Bob, for 

iVciass ^ max [//^iJZ)^ - H'^JZ\B)^ - O(logi)] . (5.13) 

Here e characterizes the worst-case error probability of the coding scheme, and this expression 
agrees with a result found for classical channels found by Renner et al. [119].^ This result applies 
to completely arbitrary channels, but when Alice and Bob would like to communicate using n 
uses of a memoryless channel we can appeal to the asymptotic equipartition property (AEP) of the 

^The general case can be handled by probabilistic arguments [RRl 1] . 

^As with quantum communication and private classical communication over quantum channels, regularization can 
increase the rate further. Indeed, as discussed at the end of Chapter 6, regularization is necessary to reach the capacity. 

^Wang and Renner have recently derived a one-shot result for classical communication over quantum channels via a 
different method [120]. 
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Figure 5.2: Schematic of using randomness extraction and information reconciliation to perform 
noisy channel communication. Messages m E M are input to the encoder Enc' and subsequently 
to the shaper Shp, which is a randomness extractor run in reverse. Then they are then transmitted 
over the channel to the receiver, who uses the decoder Dec to construct a guess m' e M' of the 
original input. Concatenating the shaper and channel gives a new effective channel yK', for which 
an encoder/decoder pair (Enc', Dec) can be constructed by repurposing an information reconcilia- 
tion scheme that operates on the joint input-output UB of the channel. Ultimately, the shaper can 
instead be regarded as part of the encoder Enc, which is formed by concatenating Enc' and Shp. 



smooth min- and max-entropies, proven by Tomamichel et al. [121]. Roughly speaking, it states 
that i/^jjj(Z|B)i^,»H nH{Z\B)ip and similarly for the max-entropy. We then recover the rate given by 
the HSW theorem; for channels with purely classical outputs, i.e. quantum states which all pairwise 
commute, we recover Shannon's noisy channel coding theorem [6]. 

Besides an appealing modular proof of the noisy channel coding problem based on the sim- 
pler primitives of randomness extraction and information reconciliation, another appeal of this ap- 
proach is that by using privacy amplification instead of just randomness extraction for the distribu- 
tion shaper, we automatically obtain a construction suitable for private communication of classical 
information over a noisy quantum channel. In that case we find that the (logarithm of the) number 
of private messages which can be reliably sent is given by 

ATpriv ^ max [h'^^{Z\E]^ - H'^JZ\B]^, - 0(log '-)] , (5.14) 

where system E is the "other half" of the channel output. That is, upon input of z the channel 
produces the pure state \ipz)^^ shared between Bob and the environment or eavesdropper. As be- 
fore, an application of the AEP recovers the rate relevant in the asymptotic i.i.d. setting, namely 
maxp^ [//(Zlf)^ — H{Z\B)ip~^ . This agrees with the findings of Devetak [98] for quantum channels, 
and those of Wyner [122], Ahlswede and Csiszar [123], and Maurer and Wolf [124] for classical chan- 
nels. 

Finally, we note that combining this proof technique with the duality between information rec- 
onciliation and privacy amplification it is possible to prove that reliable communication is possible 
by ensuring that not too much information leaks to the environment. This decoupling approach 
was heretofore unknown to work for channel coding of classical information, and in fact this was 
the one major protocol not known to be amenable to a decoupling analysis. The encoding and 
decoding procedure is precisely the same as before, using a distribution shaper and information 
reconciliation to create an encoder and decoder. But instead of relying on constructions of infor- 
mation reconciliation protocols, we use privacy amplification and duality. Thus, the size of the code 
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is fixed by how much privacy amplification is needed for the observable conjugate to the uniform in- 
put U, and is therefore given by a smooth min-entropy. Using the uncertainty principle for smooth 
entropies formulated in [118] we can relate this to the smooth max entropy of U conditioned on B, 
and obtain again Equations (5.13) and (5.14). 
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Quantum key distribution is one of the major current applications of quantum information pro- 
cessing, requiring only minimal ability to coherently manipulate quantum information. Devices 
implementing QKD protocols such as BB84 are even currently available commercially. But where 
does the security of QKD come from? That is to say, how can we prove that a given protocol is truly 
secure and no would-be eavesdropper has any information about the key? 

There have been three main approaches to answering this question, each with its own advan- 
tages and disadvantages, which we briefly describe in the first of three sections in this chapter. In 
the second section we follow one of these methods, treating QKD as a means for virtual creation of 
entanglement as described in Section 4.3, and recount the results of [RG06] showing that it applies 
to a wide class of protocols, not just the original BB84 scheme. 

From Section 3.4 we know that entanglement is not strictly necessary for generating secret keys, 
and that in general private states suffice. In the third section of this chapter we describe how alter- 
ations to the BB84 protocol which improve the maximum tolerable error rates can be understood as 
part of a virtual private state distillation scheme, and that combining this additional step with sim- 
ilar enhancements to quantum error-correction lead to still better tolerable error rates. This work 
was first reported in [RS07, SRS08, KR08]. 

6. 1 Notions of Security 

The first proofs of unconditional security of the BB84 protocol — that is, security of the protocol 
under arbitrary attacks on the public quantum channel by the eavesdropper Eve — were given by 
Biham et al. [125, 126] and Mayers [127, 128]. Their methods are similar, and essentially rest on 
an implicit use of the uncertainty principle to bound Eve's information about Alice's key by Bob's 
information about the conjugate basis to the key.^ Biham etal. characterized the security as due to 
an information-disturbance tradeoff, the fact that eavesdropper cannot acquire information about 
Alice's signals without disturbing them. Such a tradeoff follows immediately from Equation (1.7), as 
to be able to gain information about e.g. the phase without disturbing the amplitude information 
would imply a violation of the entropic bound. 

At the same time, efforts to base the security of QKD on virtual entanglement distribution as 
described in Section 2.4 were underway, culminating in Shor and Preskill's proof for BB84 shortly 
after the two mentioned above. Their proof was a good deal simpler than the earlier versions, and 
achieved a higher error threshold, the maximum error rate at which the protocol can still safely 
generate secret keys (albeit at vanishingly small rates). The new proof established a threshold of 
11%, the previous proofs 7.56%. The simplicity also enabled the method to be extended to other 
protocols. Lo [130] established the unconditional security of the six-state protocol proposed by 
Bruss [131] which uses the eigenstates of the XZ operator as signals in addition to those of X and 
Z. Tamaki, Koashi, and Imoto [132] extended the method to a proof of Bennett's two-state proto- 
col (B92) [133], while Gottesman and Lo showed that it could also treat information reconciliation 
steps involving two-way communication [134], greatly increasing the error rate tolerable by BB84 to 
18.9%. Boileau etal. (including the present author) [135] proved the security of a B92-like protocol 
involving three states which was originally proposed by Phoenix etal. [136]. 

The original approach of Biham et al. and Mayers has its own advantages within the realm of 
the BB84 protocol, however, as it is not actually concerned with the details of Bob's measurement 

^Both of their formal statements make use of a related result by Yao [129]. 
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apparatus, only Alice's preparation device. This can be anticipated from the implicit use of the un- 
certainty principle: From Equation (1.7) it is clear that to bound Eve's knov\?ledge of the key it suf- 
fices to have a bound on Bob's knowledge of the conjugate observable to the key. It is not necessary 
to have an accurate physical description of how he comes by such knowledge, which greatly ex- 
tends the practicality of the proof. Koashi and Preskill combined techniques from both methods to 
treat the problem of an uncharacterized source [137] (but characterized detector), and later Koashi 
gave an even simpler proof which was the first to quantitatively appeal to the uncertainty princi- 
ple [138, 139]. Although the proof itself is constructed via other means, Koashi used the Maassen 
and Uffink relation. Equation (1.4), as a guide to determine the size of the secret key. Very recently, 
Tomamichel aZ. [140] have directly used the smooth entropy uncertainty relation of [118] to give 
a simple security proof of BB84 with uncharacterized detectors. 

Meanwhile, a third general approach focused on showing that privacy amplification produces 
secure keys even when the adversary holds quantum instead of classical information. To make 
use of privacy amplification one then needs to characterize the quantum states held by the eaves- 
dropper, or at least give a bound on the size of their overall support. Ben-Or showed that a re- 
sult from quantum communication complexity implies the efficacy of privacy amplification and 
that the knowledge gained by Alice and Bob in the BB84 protocol can be used to bound the effec- 
tive size of Eve's system [141]. Konig et al. demonstrated that privacy amplification works against 
quantum adversaries generally [142], and Christandl et al. developed this into a generic security 
proof which replicated the one-way results above, even improving the threshold for the B92 pro- 
tocol [143]. Kraus, Gisin, and Renner [144, 145] extended this to establish that many protocols are 
not only unconditional secure, but also safely composable with other cryptographic primitives to 
create larger cryptographic schemes which are themselves secure, following composability results 
by Renner and Konig [108] and Ben-Or et al. [146]. Renner provided another method also suitable 
for two-way protocols in his thesis [113]. 

It should be noted that the task of key distribution is considerably more involved than the task 
of key distillation as discussed in Section 4.3, and the security issue all the more complex. There 
the input state shared by Alice and Bob is known in advance, and moreover it is assumed to consist 
of n copies of some state ip. Neither of these statements hold in general in the present context, 
for although Alice sends n quantum systems to Bob, these travel over an insecure communication 
channel which could in principle be under the control of the would-be eavesdropper Eve. The dif- 
ficulty lies in the fact that the eavesdropper could in principle attack all the signals jointly, what is 
termed a coherent attack. If Eve attacked each signal separately, a collective attack, then Alice's and 
Bob's state would have the aforementioned i.i.d. form, and could be handled by those methods. 

Unsurprisingly, then, one widely-used method of handling coherent attacks is to reduce them 
in some way to collective attacks. Originally this was done on a more ad hoc basis for particular 
protocols, but has been made more systematic by Renner [113, 147], culminating in a very general 
statement by Christandl etal. [148]. This states that as long as the key distribution protocol is un- 
concerned with the order in which Alice transmits the signals, which can be enforced by arbitrarily 
permuting them, then security against collective attacks implies security against coherent attacks. 

6.2 Entanglement in Prepare and Measure QKD 

Quantum key distribution can be formulated as a virtual entanglement distribution scheme for a 
wide class of protocols and the Shor- Preskill approach used to prove the their security. In this sec- 
tion we briefly sketch out how this can be done, following [RG06] and simplifying some issues in 
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light of intervening research advances. The main conceptual difficulty in considering protocols 
other than BB84 in the Shor-Preskill framework is that it appears as if the CSS structure of informa- 
tion reconciliation and privacy amplification are directly related to the use of amplitude and phase 
eigenstates as the signals and for measurement. However, this is not actually the case, and in fact 
these two parts of the protocol have nothing to do with each other. This was already noted in the 
proofs by Tamaki et al. [132] and Boileau et al. [135], but [RG06] show how it can be made to work 
more generally. 

First let us settle on the general framework of prepare and measure protocol. A generic proto- 
col consists of five main stages. First Alice prepares quantum states and transmits them over the 
insecure quantum channel to Bob, who measures them; this is the only step in which quantum op- 
erations are actually needed. Second, they transform their classical transmission and measurement 
records to a prospective raw key. This step is usually called sifting, after the specific mapping used 
in BB84, and usually the transformation is chosen so that the raw key would be a truly secret key if 
the quantum channel were noiseless. 

As real channels are inevitably noisy, Alice and Bob need to distill a truly shared, secret key from 
the raw key. In stage three, parameter estimation, they compare some random subset of the raw key 
to determine the likely number of errors. This serves two purposes. In the fourth stage, information 
reconciliation, they use the knowledge from parameter estimation to agree on an identical refined 
key. Usually this involves Bob reconciling his raw key to Alice's, hence the name. Finally, they also 
use this knowledge to perform privacy amplification and thereby generate the final secure key. 

The trick to applying the Shor-Preskill framework more generally is to first formulate the prepare 
and measure process coherently, i.e. in quantum-mechanical language, and then regard Alice's and 
Bob's systems in this setting as being composed of two virtual subsystems. One subsystem (quan- 
tumly) records the key value, while the other (quantumly) records the sifting information. The sift- 
ing stage can then be seen as a measurement of the latter subsystems, plus postselection by public 
communication to select appropriately matching sifting outcomes. The virtual key subsystems re- 
main, and it is their entanglement which is at issue in the Shor-Preskill framework. The amount of 
entanglement, and thus secret key, which can be distilled may be estimated by making use of the 
symmetries of the signal states and measurement. 

We can illustrate this most easily using the BB84 protocol itself and then describe how it can be 
made to work more generally. As discussed in Section 2.4, the BB84 protocol can be described co- 
herently by pretending that Alice first creates EPR pairs and then sends one subsystem of each pair 
to Bob. Here, however, it is more appropriate to describe each signal sent by Alice as her preparation 
of the state 

and transmission of the B subsystem to Bob. The indices j and k specify the eigenvalue and ob- 
servable, respectively, of the state \ ^jk) transmitted by Alice; = denotes amplitude Z and k = \ 
phase, while the eigenvalue is given by (—1)^ . Bob makes a random measurement of the two ob- 
servables, which can be described by the isometry Uj^^'^^^ = "Y^jk Ij)^*^ 1^)^'^ {'Uik\^ > where here 
\'rjjk) = \^ik) but the distinction will be useful later. For a noiseless channel, his measurement pro- 
cess results in the state 

\^^fKAsB,Bs^i^^ X \i)''''\k)'''\i'f"\k'f'{r]i'k'\^ik). (6.2) 
ii'kk' 
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From the form of the inner products {rjj'k'l^jk) one can easily work out that if Alice and Bob 
each measure their S-labeled subsystems and obtain the same result, the remaining X'-labeled sys- 
tems are in the state 1$)"**^^*^ and thus measurement produces a secret key. This mimics the sifting 
process of the actual protocol, as Alice and Bob perform the measurements separately and compare 
their results by public discussion. Also crucial is the fact that the overall probability distribution for 
signals and measurement outcomes found here is precisely the same as in the prepare and mea- 
sure scheme. Thus, this state has the form claimed above: It provides a coherent description of 
the real protocol in which Alice and Bob each have key K and sifting S subsystems, and sifting is 
accomplished by local measurement of the latter subsystems and postselection. 

Noisy channels require the additional steps of parameter estimation, information reconcilia- 
tion, and privacy amplification, but change the above picture only slightly. Describing the channel 
resulting from Eve's attack by its decomposition into Kraus operators, and assuming the attack is 
collective, the state is altered by the noise to 

X \j)'''\k)'''\rf''Wf'\£f{rirk'\EMjk). (6.3) 
jj'kk'e 

In the sifting stage, Alice and Bob keep only the cases in which k = k' and subsequently discard 
the information specifying which value of k they observed. We can model this process as keeping 
only the k = k' terms in (6.3) and then giving the Ag and Bs systems to Eve. Alice and Bob keep only 
the raw key, and the state becomes (slightly redefining E) 

liP'^f'^^'^'o^Y, c';j,\jf'^\rf'\k,if, clj-ir^yklEel^jk). (6.4) 

Following the Shor-Preskill idea, as generalized in Section 4.3, Alice and Bob can construct the 
information reconciliation and privacy amplification protocols necessary to turn the raw key into 
a secret key once they are able to estimate Pguess(^'^'^l-Bi<:)^^ and Pguess{.X^'^\CzBK),p'^- A bound on 
the former is given directly by parameter estimation, but the latter is not so straightforward. The 
joint state of the key systems is determined via the coefficients Cjj,, creating a connection between 
the two guessing probabilities, albeit in general a not at all straightforward one. The structure of 
the sifting and of the signals and measurements greatly simplifies the connection, and makes it 
possible to find useful bounds on the latter guessing probability as a function of the former. This 
enables Alice and Bob to construct the remainder of the protocol to be provably secure. 

For BB84, one finds by direct calculafion that pguessl-^^*^!-^^*^) = Pguess(^^'^'l^^*^) regardless of 
the value of i. That is, the correlation in the amplitude basis (which gives the key itself) is precisely 
the same as the correlation in the phase basis (conjugate to the key). This was to be expected from 
the original coherent description of BB84 which explicitly uses EPR pairs from the beginning, since 
half the time the key comes from the original amplitude basis, and half the time from the phase 
basis, so the correlations ought to be the same. Using this relationship in the formula for the rate of 
secret key distillation. Equation (4.22) (ignoring ^ and T), we recover the rate rBB84 — 1 — 2^2(5), for 
5 the observed error rate in the raw key and /j2(5) = — 5 log2 5 — (1 — 5)log2(l — 5) the binary entropy, 
which leads to the threshold of 11%. Security against general coherent attacks is then ensured by 
the result of Christandl etal. [148]. 

A great advantage of the above approach is the modularity of the security proof. The details of 
the signals, measurements, and sifting are logically completely separate from the details of infor- 
mation reconciliation and privacy amplification. The former enter only into the coefficients Cjj,, 
which are used to select a CSS code for the latter. This approach is developed in [RG06] as a gener- 
alization of that used by Tamaki etal. [132] and Boileau etal. [135], and it is shown that it applies to 
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a wide class of protocols, particularly those based on so-caUed equiangular spherical codes. These 
are are constellations of pure states \^j} whose pairwise overlaps are all identical, as in the three- 
state protocol of PhoeniK [136] mentioned above, and were adapted for use in QKD generally by the 
author [149, 150, 151]. The other main contribution of [RG06] is the development of a method of 
exploiting the symmetries of the sifting scheme and the signal and measurement states to simplify 
this task, relying on results from group representation theory. 

To see how this works, consider the protocol in which Alice's signals are four qubit states for 
which I i^jl^k) P — |> as described in [150]. These form a regular tetrahedron in the Bloch-sphere 
representation of a qubit, and Bob's measurement is comprised of appropriately-normalized pro- 
jectors onto the states Irjk) for which {r]k\£,k} = 0, i.e. the inverse tetrahedron in the Bloch-sphere. 
Due to symmetry, Bob's measurement would randomly reveal one state which Alice did not send if 
the channel were noiseless, and so the information exchanged by Alice in the sifting stage consists 
of a random choice of two states she did not send. 

In one-third of cases these two pieces of information specify which state she did send, and Bob 
publicly announces that he has successfully decoded the transmission. From this they generate 
one secret bit corresponding to which of the two signals Alice did send, given the public exclusion 
of two of the initial possibilities. There are 12 possible announcements by Alice, since she must also 
specify how the two possible signal states are to be decoded into the raw key, and we may label the 
signal states by the combination of sifting announcement and raw key value. In this way each signal 
is counted six times, but this presents no difficulty as each is counted the same number of times. 
Much the same holds for Bob, and so the state in Equation (6.1) can be used to describe the protocol 
coherently. 

The remaining task is to use the c||, to bound PguessiX^^\CzBK) in terms of pguess[Z^^\Z^^). By 
exploiting symmetries of the QKD protocol as in [RG06], we can greatly simplify this task. Sup- 
pose that the sifting step of the protocol is such that there exist unitaries Uk and Vk for which 
l^jk) = Uk IC;o> and \r]jk} = Vk \r]jo}. Then the c^j, become c||, = {r]j'o\V,^ EeUkl^jo). Now let us focus 
on a particular Kraus operator Ei by fixing the value of£, but average over the value of k, which cor- 
responds to Alice and Bob throwing away the information specifying which particular sifting map 
they applied. Their shared state given the value of £ has the form 

ii'j]' k 

Examining the form of the matrix elements, we see that the sifting symmetries Uk and Vk create 
an effective channel having Kraus operators V^ E( Uk- Moreover, the group nature of these operators 
enables us to compute the action of the channel by appealing to representation theory. In the partic- 
ular case of the tetrahedral protocol, one finds that the effective channel is just a depolarizing chan- 
nel, irrespective of the value £. The depolarizing rate can be determined by the noise rate observed 
in the parameter estimation phase. Computing the state after the sifting step reveals that Alice and 
Bob can describe their shared key state by a Bell-diagonal state xP^kBk = p.^^ \Pjk) iPjkl'^^^'^, as 
in Equation (2.11), with the pjk satisfying poi — Pn =2pio. 

This implies PguessC^^*^!^^*^) = 5 and pg^essl^^'^l^^'^.Z^*^ =2"'^) = | while pg^essl^^^^l^^'^.Z^*^ ^ 
Z^*^) = 1 — 25/3(1 — 5). The latter guessing probabilities are directly related to PguessiX^^ \CzB) since 
Bob's knowledge of Z"^*^ stored in Cz can be equivalently thought of as the information as to whether 
or not an amplitude error Z^J^ 7^ Z^*^ occurred or not. Using these guessing probabilities in Equa- 
tion (4.22), we obtain the rate r,etra = l-/i2(5)-5/i2(|)-(l-5)/i2(25/3(l-5)), which has a threshold 
of 11.56%. In [RG06] the method is applied to several other spherical code protocols with signal and 
measurement states having Hilbert space dimension three. 
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6.3 Private States in Quantum Key Distribution 

By clever if perhaps unintuitive choice of preprocessing operations 2, in Equations (4.22) and (4.24) 
the error thresholds of QKD can be pushed higher than those found by the Shor-Preskill method 
alone. Understanding how this can be the case requires interpreting QKD as a virtual means of 
private state distillation rather than just entanglement distillation, as first shown in [RS07] . Further- 
more, the private state distillation approach suggests that it would be beneficial to combine two 
types of preprocessing operations previously studied, and this was indeed shown to be the case for 
the BB84 protocol in [SRS08] . Further improvements and an extension of the method to the six-state 
protocol were reported in [KR08] , and we describe both of these results here. 

That private state distillation is actually needed to give a fully quantum-mechanical description 
of QKD was necessitated by the work of Kraus, Gisin, and Renner [144, 145]. They established the 
seemingly-paradoxical result that the noise threshold of BB84 can be improved if Alice randomly 
flips some of her raw key bits before performing the final three steps of the protocol, and they re- 
ported a threshold improvement from 1 1% to 12.4%. From the viewpoint of QKD as a virtual scheme 
for entanglement distillation this additional step would seem to be counterproductive, as noise in- 
flicted by Alice behaves the same as noise inflicted by Eve. However, we saw in Chapter 3 that entan- 
glement is not actually necessary for secret key creation, private states are. This raises the question 
of whether or not one can view the noisy preprocessing step as part of a virtual scheme for private 
state distillation, which [RS07] answers in the affirmative. 

The crux of understanding such noisy preprocessing in a private state picture is to include the 
system Alice uses to impart the noise to her raw key and observe that it functions as a shield sys- 
tem. The overhead in the protocol of additional information reconciliation needed due to the noisy 
preprocessing is then more than made up for by a reduction in the required amount of privacy am- 
plification. The particular guessing probabilities found in the previous section imply that the state 
of Alice's and Bob's raw keys immediately after the sifting stage takes a Bell-diagonal form in which 
the probabilities of amplitude and phase error are independent and equal. That is, in the state 
^A^B^ = Y.jk Pjk Wjk) iPjkl^"'''', one has poo = (1 - 5f, pw = Poi = 5(1 - 5), and pn = 5^ for 5 the 
probability of amplitude (or phase) error. 

Now suppose that Alice randomly flips each raw key bit independently with some probability 
q. This process may be modelled as a cnot gate whose control is an ancillary system A' prepared 
by Alice in the state |(/?) = ^fl — q |0) + y^jl) and whose target is her raw key Ak- The error rate 
in Alice's and Bob's keys has jumped to 5' = 5[l — q') + q{l — 5), but the crucial difference from the 
entanglement distillation scenario is that for security it is relevant how well A' and Bjc together can 
predict X^*^, not merely how well could alone. 

The resulting state of AkA'Bk can be used to compute H{X^'^\A' B) for use in Equation (4.22); 
observe that we do not need to make use of the Cz system here because knowing if there is an am- 
plitude error tells Bob nothing about the likelihood of a phase error. Using Equation (4.22) and opti- 
mizing over the choice of q we recover the threshold of 12.4%. A similar calculation (now requiring 
the use of Cz) recovers the six-state threshold of 14.1%. Actually, [RS07] follows a different approach 
than what we have outlined here, directly constructing the twisting operator, but this can be seen 
as a particular case of the general results on private states and secret key distillation presented in 
Sections 3.4 and 4.3. 

In his security proof of the six-state protocol, Lo observed [130] that the threshold can be im- 
proved from the nominal 12.6% one would find following the Shor-Preskill method to 12.7% by em- 
ploying so-called degenerate quantum error- correcting codes first discussed by DiVincenzo, Shor, 
and Smolin [152]. This code consists of a concatenation of an amplitude repetition code with a ran- 
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dom CSS code and in the present context corresponds to a preprocessing operation 2. on blocks of 
inputs, as in Equation (4.24). 

Tiie degeneracy of tiie code refers to the fact that several different errors can share the same 
recovery operation and the syndrome need only reveal which recovery operation is required, a phe- 
nomenon which is not possible for classical error-correcting codes. For example, in the amplitude 
repetition code of Section 2.2.1, the three possible phase errors acting on single qubits all have the 
same effect on the encoded quantum information, namely as a phase flip. Thus, if we concatenate 
the repetition code with another code, we need not determine the precise location of a phase error 
on the physical qubits. Reducing the number of stabilizers needed to enable correction of phase 
errors implies a reduction in the necessary amount of privacy amplification in the context of QKD, 
and thus the threshold increases. 

Shor's nine-qubit code described in Section 2.2.2 provides a simple example. There we consid- 
ered the effect of a single phase flip error on the fourth qubit and found that it would be detected by 
measuring certain stabilizer operators. But it is clear from the argument there that the same result 
is obtained for a phase error on either qubit five or six. This is reflected in the fact that associated 
with the code are are six amplitude stabilizers and only two phase stabilizers. The former determine 
the precise location of an amplitude error, but the latter only fix the location of the phase error up 
to the position in the block. This is all that is necessary. 

It is possible to combine the noisy preprocessing discussed above with degenerate codes to im- 
prove the threshold of BB84 still further, as described in [SRS08]. The original protocol is mod- 
ified as follows. After the raw key is created in the sifting phase, Alice performs a noisy prepro- 
cessing step in which she independently flips each raw key bit with some probability q. Then she 
computes the syndromes of an amplitude repetition code encoding one qubit into m qubits, i.e. 
Z\® Z2,Z\® z-i, . . . ,Z\® Zm and transmits these publicly to Bob. The flrst bit of each block she saves 
for further use as the key. Bob then computes the syndromes of his block, and attempts to correct 
his key bit so that the syndromes match Alice's, exactly as was done in the entanglement distillation 
protocol discussed in Section 2.3. Alice and Bob then repeat this process for many blocks, collecting 
one key bit per block. On these refined key bits they then perform information reconciliation and 
privacy amplification as needed. 

To determine the threshold, for which the main difficulty is, as usual, to determine the amount 
of privacy amplification needed, it is simpler to focus on Eve's states and compute 11{Ak\^S), where 
S denotes the syndrome information and Ak the key bit encoded in the repetition code. Again the 
symmetries of the problem enable the use of group representation theory to make the calculation 
numerically tractable, allowing thresholds for blocklengths in the hundreds to be determined. The 
best threshold found in [SRS08] is 12.9%, corresponding to ^7 0.32 and m = 400. A more elaborate 
analysis is required for the six-state protocol, and this is carried out in [KR08] , with the result that the 
threshold is at least 14.59%. Additionally, the effects of iterating the entire noisy preprocessing plus 
repetition code procedure are investigated therein, and this is found to offer substantial increases 
in the key distribution rate of the protocol at high error rates, though the overall threshold is not as 
large. 

As mentioned previously, the use of repetition codes is a type of blockwise preprocessing, in 
contrast to the noisy preprocessing which is applied to single key bits. As blockwise preprocess- 
ing is more complicated, and the expression for the optimal rate for secret key distillation. Equa- 
tion (4.24), essentially impossible to evaluate, the question arises whether blockwise preprocessing, 
i.e. regularization are truly necessary. Unfortunately, the answer is yes, as observed in [SRS08]. One 
can show that the threshold found by noisy preprocessing, 12.4%, is the optimal threshold using 
single-bit, or single-letter preprocessing. Since the combination of noisy processing and repetition 



65 



6. Security of Quantum Key Distribution 



codes leads to a higher threshold, regularization must in general be necessary. This result then ap- 
plies to the private capacity of a channel as well, since one way to communicate privately is to first 
generate secret keys and then encrypt the actual message to be sent. 

Thus, neither the secret key distillation rate nor the private capacity are single-letterizeablequan- 
tities. This reveals a large distinction between classical and quantum information theory, as single- 
letter quantities are usual in the former, reflecting the fact that the random coding arguments of 
Shannon are optimal in a wide variety of situations. In quantum information theory this is no longer 
true. The degenerate codes found by DiVincenzo, Shor, and Smolin [152] show that the quantum 
capacity is also not single-letterizeable, while Hastings has recently established that the classical 
capacity of a quantum channel is not single-letterizeable either [153]. Despite the apparent simi- 
larities with classical information theory, a full understanding of quantum information theory will 
require the development of tools beyond the usual random coding methods. 
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The preceding six chapters demonstrate that, far from being just an abstract mathematical study, 
the study of quantum information theory is quite closely connected to core physical concepts, 
namely complementarity and the uncertainty principle. Indeed, although we have presented the 
topics of this thesis in a logical order, it was actually research into secret key distillation in [RB08] 
that led to the conjecture of the entropic uncertainty principle of Equation (1.7) in [RB09] and its 
eventual proof in [BCC+10]. 

The results described in this thesis spring from trying to make sense of what it means to have 
"quantum" information, working within the formalism of quantum theory itself. Using the con- 
ditional entropy H{Z^\B)i^, we can describe the information held by B about the amplitude mea- 
surement Z on system A, when A and B are jointly in the quantum state ip"^^. Having quantum 
information then refers to the situation in which B implicitly contains information about two com- 
plementary observables X and Z, and the uncertainty principle in the form H{X^ \ B) + H[Z^ \C)>^ 
constrains the extent to which information about both can be simultaneously explicitly realized. 
Quantum information processing protocols can then be constructed by mimicking related classical 
information processing protocols for the two complementary pieces of classical information, taking 
care not to violate the uncertainty principle. 

Although complementarity is at the heart of the results presented herein, to complete the proofs 
we have also relied heavily on certain algebraic properties both of the observables X and Z as de- 
fined in Equation (3.25) and of the attendant CSS stabilizer codes. In particular, the algebraic prop- 
erties of the amplitude and phase observables play important roles in Theorems 1,3,4, and 6, while 
the algebraic structure of CSS codes is used extensively throughout Chapters 4, 5, and 6. Remov- 
ing the algebraic requirement on the observables is precisely the difference between the uncer- 
tainty principle results of [RB09] and [BCC+10], and a major goal of future work is to remove this 
requirement from the aforementioned results as well. The situation is akin to difference between 
the heuristic use of the uncertainty principle in the early proofs of QKD, where the uncertainty prin- 
ciple provided guidance for the actual algebraic arguments, and the recently formulated BB84 se- 
curity proof of Tomamichel etal. [118, 140] based directly on the uncertainty principle formulated 
in terms of smooth-entropy. 

This goal is likely to be fairly straightforward for the results of Chapter 3, but the use of CSS 
codes in the protocols of the subsequent chapters appears much more central to those results. The 
difficulty lies in the need to combine classical protocols for complementary observables in such 
a way that all the important quantities can actually simultaneously exist, i.e. the corresponding 
operators all commute. In the entanglement distillation scheme of Chapter 4 for instance, the use 
of CSS codes ensures that the syndrome information needed to establish strong phase correlations 
does not interfere with either the amplitude syndromes nor the final encoded amplitude. 

Another goal of future work will be to extend all the results beyond the realm of asymptotic i.i.d. 
resources and into the one-shot domain of structureless resources briefly described in Section 5.1.4. 
Here we have presented optimal protocols in the former scenario, but it is not clear whether this 
will be possible in the more general setting. One cause for hope is that the uncertainty principle 
already plays a fundamental role in the one-shot setting. Tomamichel et al. [154] have shown that 
the smooth min- and max-entropies are not independent: One may be defined in terms of the 
other using a purification system. The smooth entropy uncertainty relation then follows from this 
duality [118]. 

Finally, a much more ambitious goal is to extend the notion of quantum information as com- 
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plementary classical information past the simple two-party communication scenarios studied here. 
Can this point of view shed some light into how quantum computers work? 
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